-2

I read that it would be desirable to "verify" my email provider (zoho), so according to their instructions I added the following records to my DNS (CNAME code altered slightly):

CNAME   zb14799999   zmverify.zoho.com
TXT     @            v=spf1 include:zoho.com ~all

After doing this my website broke and the DNS for my website (the A records) no longer work, although email continues to work.

So, what is going on here? I read up on the CNAME record and apparently it aliases the whole domain, so are web requests now going to zoho, instead of to where the A records are pointing? Maybe I don't understand how email verification works. Why would I have to alias my whole domain to my email provider to "verify" them?

Tyler Durden
  • 467
  • 1
  • 5
  • 15
  • 4
    Provide us with the *whole* zonefile or tell us the domain so we can look it up ourselves. – vidarlo Feb 05 '22 at 14:08
  • Your site would break if you creat a `CNAME` record for `@` instead of `zb14799999`. – AlexD Feb 05 '22 at 14:44
  • 1
    @AlexD [it is impossible to create a `CNAME` record for `@`](https://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain) (that's against the RFC) – Nikita Kipriyanov Feb 05 '22 at 18:30
  • 1
    @NikitaKipriyanov while RFC doesn't allow CNAME for apex records but there is no guarantee that every domain registrar control panel conforms to the RFC requirements. The question you linked clearly mentions such a case: "The webhosting company took the stance .... that their software supports it." – AlexD Feb 05 '22 at 18:41
  • Read the accepted answer please. It explains it correctly, deeply, and in detail, including what Cloudflare does. And, while *control panel* could allow anything, the DNS server behind it would not. BIND would reject to load zone with bogus CNAME record, for example. I doubt a hosting provider wrote their own DNS software. And *vidarlo* is right, we need a complete zone and a complete instruction, to confirm either the instruction was followed incorrectly or it is itself incorrect or not clear. – Nikita Kipriyanov Feb 05 '22 at 18:47
  • @NikitaKipriyanov as I said, there are control panels and **DNS server software** which will happily allow CNAME as apex records. Even with BIND you can get a situation when BIND rejects incorrect zone data and as the end result, there is no authoritative server for the domain which leads to the site being broken. – AlexD Feb 05 '22 at 19:42
  • In that case, the whole zone would be broken and email confirmation would have not taken place too. So this question is certainly not the case. Also, can you please tell us any example DNS software which has such a serous deficiency? (At least to be prepared to not to use it by accident.) – Nikita Kipriyanov Feb 05 '22 at 19:48
  • @NikitaKipriyanov `dig @a.ns.bytemark.co.uk cnameexample.org`. And you don't need to use `tell us`. You are not royal. – AlexD Feb 05 '22 at 20:12

1 Answers1

0

This was a false alarm. In fact, other browsers were able to correctly access the web site. The cause was that the web site had no SSL functionality and the test URL was getting defaulted by the browser to https instead of http. So, I am suggesting a test protocol for problems like this for users that have similar problems when they get a "site not found" (=DNS) error in their browser:

  • Verify that the URL is correct, especially that the expected protocol (HTTP vs HTTPS vs FTP or whatever) is being used by the browser

  • Verify that the IP address works and that it is truly a DNS issue (ie try http://45.180.23.121:80 or whatever the IP address is)

  • Verify that you are using the right port number if the web server does not use the default port of 80

  • Check with other browsers, on other machines if possible to narrow down the context of the problem

  • Try nslookup to see if the machine is resolving the URL correctly

  • Use a tool such as dnsrecon to explicate the name resolution as it is currently being published by the DNS servers

  • If the problem is browser specific, clear the DNS cache of the browser for the domain in question and try restarting the browser if necessary.

  • If the problem is guaranteed to be browser specific and you are sure the URL is being entered correctly and the DNS cache is clear, then try restarting the browser, and lastly reset the browser to default settings and disable extensions.

Tyler Durden
  • 467
  • 1
  • 5
  • 15