12

Can a single DNS response contain both A records and cname records? If so, would it be considered unusual or is it typical behavior?

chillsauce
  • 261
  • 3
  • 6
  • 4
    Can you provide some context of your question? Where does it come from, why do you question that? Have you seen some examples in the wild, if so, which? Or are you confused by the DNS specifications or some other reference? – Patrick Mevzek Jan 11 '21 at 19:40

3 Answers3

33

If the A record(s) that you refer to are for the canonical name (the "target" of the CNAME record) rather than the query name, then this is perfectly normal.

It would however be in violation of the standards to return CNAME and A (or any other record) for the same name.

Valid example:

foo.example.com.        3600   IN      CNAME   bar.example.com.
bar.example.com.        3600   IN      A       192.0.2.1

Invalid example (not discouraged, invalid):

foo.example.com.        3600   IN      CNAME   bar.example.com.
foo.example.com.        3600   IN      A       192.0.2.1
Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Oh I see... so if serverfault.com resolved to stackexchange.com I could receive a single response containing the cname stackexchange.com and stackexchange.com's A record resolutions. Is that right? – chillsauce Jan 11 '21 at 00:15
  • @chillsauce Yes, assuming that I understood you correctly. I added an example to illustrate. – Håkan Lindqvist Jan 11 '21 at 00:17
  • Depending on your DNS provider, it is possible to add both CNAME and A records. But there is a browser/client precedence that makes CNAME win out over the A records. i.e. the A's will never be used. – Vino Jan 11 '21 at 10:22
  • 2
    @vino Actually serving both would simply be invalid and not something for browsers to decide on. See this other answer that covers the implications of the invalid case in more detail: https://serverfault.com/a/1047779/183318 – Håkan Lindqvist Jan 11 '21 at 11:21
  • 2
    @Vino "But there is a browser/client precedence that makes CNAME win out over the A records" Any actual proof of that? The end client, browser or not, if it relies on the OS to do the resolution it won't see the CNAME at all, just the final answer. It is only if it does itself its own resolution that it could see those details. – Patrick Mevzek Jan 11 '21 at 19:39
  • 1
    To add to Håkan Lindqvist perfect answer, note that some nameservers will just flat out refuse to load a zonefile containing such kind of invalid configuration (or may just ignore the second record making the whole invalid, so that the new content comes back at valid) – Patrick Mevzek Jan 11 '21 at 19:41
5

This is atypical, and in fact is contrary to the RFC. When a CNAME exists, there should be no other types of records for that same result.

tater
  • 1,395
  • 2
  • 9
  • 12
  • 4
    (except for DNSSEC related records, like RRSIG, of course) – Patrick Mevzek Jan 11 '21 at 19:38
  • If the same name server is canonical for what the CNAME is pointing to, it will also give you that next step, whether another CNAME or an A record. This helps save another round trip or more. – chicks Jan 12 '21 at 18:24
  • it's completely normal, but only if the owner name of the A record in the response is the _target_ of the preceding CNAME (which must itself have a different owner name), – Alnitak Jan 13 '21 at 10:11
-2

I can confirm that it is not a valid DNS response - and how it will be resolved is down to chance. If you are a DNS server admin who is doing this, then please use either A or CNAME (and preferably A).

Note:You can return any combination of other types or records, or a CNAME, but if you return a CNAME you can't return any other kind of record aside from the RRSIG DNSSEC signature, and any working DNS resolver will throw several fits if you try and refuse to take the answer seriously at all.

Shadur
  • 1,297
  • 1
  • 10
  • 20
Myles Bartlett
  • 1
  • 1
    Wrong. CNAME and TXT records is still a violation. In fact, asking for a TXT record will still follow a CNAME. Edited with correct info. – Shadur Jan 11 '21 at 10:18
  • @Shadur don't edit wrong answers, downvote them, comment them, add your own reply, but don't fix other ones. – Patrick Mevzek Jan 11 '21 at 19:38
  • 1
    "You can return A and AAAA" This is also wrong by the way. A client asks one question, that is with one record type. If it asks A it gets back A (potentially through some CNAME) or an error, if it asks AAAA it gets AAAA or an error. No protocol compliant software will respond with an A record if you asked for AAAA or the opposite. – Patrick Mevzek Jan 11 '21 at 19:42
  • @PatrickMevzek agreed - the only way to get multiple types of answer is querying for ANY `dig -t any google.com` for example – Criggie Jan 12 '21 at 01:41
  • 2
    @Criggie No! Don't use `ANY` because 1) it never meant what people believed (it was taken at `ALL` but that is not it at all, if you query a recursive nameserver, it gives you back content of its cache, not all records - and it has no way to know all records) and 2) it is now deprecated, see RFC 8482. – Patrick Mevzek Jan 12 '21 at 03:24
  • If you go along that road you could as well say it will be the case when sending AXFR queries, but that is besides the point. – Patrick Mevzek Jan 12 '21 at 03:24