Is there specificity in DNS?

Question

I own a domain (say, example.com) and wanted to:

automatically update ext.example.com with my public DNS (via a script that will make the update once the ISP-provided IP changes) → this works
redirect the apex domain (example.com) to ext.example.com)
use a wildcard *.example.com to point to ext.example.com

To this I set up the relevant DNS entries as (+ SOA, NS)

           IN DNAME  ext.example.com.
*          IN CNAME  ext.example.com.
ext     60 IN A      350.299.1.1

When querying ext.example.com I get a weird answer: a recursive concatenation of ext

ext.example.com.            3508    IN      CNAME   ext.ext.example.com.
ext.ext.example.com.        3508    IN      CNAME   ext.ext.ext.example.com.
ext.ext.ext.example.com.    3508    IN      CNAME   ext.ext.ext.ext.example.com.
(about 20 such lines in total)

It seems that the match is done on *.example.com (the CNAME) and not ext.example.com (the A record).

Is there a way to force specificity on DNS? (i.e. so that the more specific ext.example.com is provided, instead of the more general wildcard)

Don't use `DNAME`. It exists, and works, but everyone who tried to use it (`.cat` TLD tried, and `.ngo` too) finally realized it is creating more problems than solutions. — Patrick Mevzek, Feb 06 '22 at 19:40
Just use * for your A Record, ext will include to that wildcard configuration :D If you need redirect configuration like HTTP, just do it on Webserver side. — YonzLeon, Feb 09 '22 at 16:42

score 0 · Accepted Answer · answered Feb 06 '22 at 11:10

0

This was due to my lack of understanding of what DNAME is.

I thought it has a function similar to ALIAS- to redirect the apex domain (not possible with CNAME). It does not - it remaps a domain.

Removing it solved the immediate problem but not the general one (how to deal with a naked domain without support for ALIAS)

answered Feb 06 '22 at 11:10

WoJ

3,365
8
46
75

You either need to have the naked domain also contain the IP address, or you need to use a DNS provider that "pretends" to allow CNAME records for the naked domain. Effectively, the DNS provider monitors the value of the subdomain A record and copies it to the naked domain wherever it changes. – Moshe Katz Feb 06 '22 at 14:05
@MosheKatz: yes, I think I will write a script to change the records via the DNS provider's API, and run it when the IP changes. – WoJ Feb 06 '22 at 15:35
"I thought it has a function similar to ALIAS" Absolutely not. There is no yet standardized way to have "CNAME at apex", so `DNAME` is not the solution for that. The current work in progress that will become a standard, and which is already used by CloudFlare and iOS at least, defines two new DNS records called `SVCB` and `HTTPS` and those will allow the equivalent of CNAME at apex, at least for browsers (it could have worked decades ago with the `SRV` record... that no browsers wanted to support). – Patrick Mevzek Feb 06 '22 at 19:41

score 0 · Answer 2 · answered Mar 03 '22 at 06:08

Redirecting the Apex of a domain is an age-old DNS limitation that keeps getting more important every year.

Many DNS vendors have their own proprietary solutions to this limitation (Such as AWS or Cloudflare's flattened CNAMEs, or Neustar's ApexAlias record).

But you might be interested to know there is a draft solution to this problem that may be implemented directly into DNS if it gets accepted by the industry at large.

See here for the draft proposal

https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-01

Or for an easier read, see here for a great writeup by Cloudflare

https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns/

Is there specificity in DNS?

2 Answers2