0

When configuring a Google Site on a custom domain, the instructions provided by Google specify to create two records for the domain - a TXT and CNAME record. The TXT record contains a code that Google users to verify domain ownership before allowing users to register that domain as the site address.

Also, the instructions say to keep the TXT record for verification purposes.

From what I understand concurrent CNAME and TXT records for the same address isn't officially allowed, but testing this with Cloudflare I can see that it's possible to have concurrent TXT and CNAME records for the same domain. Presumably this is the same for other DNS management services since Google Sites is very popular and I imagine that Google Site CNAME entries are handled quite frequently across the world.

However I was recently working with a network support team to register a Google Site where the CNAME and TXT record were seemingly NOT allowed to co-exist. When both a CNAME and TXT record were present for the same domain, the software threw a configuration error (Name Server Daemon - or at least I think it was this software since the command was nsd).

Am I correct in my observation that the nsd software doesn't support the requirement of simultaneous TXT CNAME records for the same domain? And, if so, how do other DNS management services such as Cloudflare allow for this?

== Edit ==

As requested in the comments here is a screenshot of the Google Sites verification request

enter image description here

Zach Smith
  • 121
  • 8
  • "Am I correct in my observation that the nsd software doesn't support the requirement of simultaneous TXT CNAME records for the same domain?" `nsd` is totally right in forbidding this as it is against the standard. Imagine you have `A CNAME B` + `A TXT foobar` and `B TXT gloups`. What should a query for `A TXT` return? Both `TXT`? Only first one? Only last one? It is basically because of this question that a `CNAME` can not cohabit with anything else (besides the requirements for DNSSEC as detailed in the answer). – Patrick Mevzek Jun 28 '22 at 14:55
  • 2
    "the instructions provided by Google specify to create two records for the domain - a TXT and CNAME record. " Can you give a specific reference (link) on where you saw that? You may have misread something because I am pretty sure Google wouldn't be so foolish to ask for a DNS configuration that is against the protocol and should be refused everywhere. Are you sure it is not "TXT **OR** CNAME" record instead? – Patrick Mevzek Jun 28 '22 at 14:57
  • @PatrickMevzek - I have edited a question to include a screenshot of the request. I interpret the part that I highlighted in yellow to mean that the TXT and CNAME DNS records should co-exist – Zach Smith Jun 29 '22 at 05:43
  • No you are clearly misreading the instructions. The instructions are: 1) add a TXT record 2) keep it after, but 3) **ALTERNATE** solution: add a CNAME record; So it is really `TXT` or `CNAME`, absolutely not both. – Patrick Mevzek Jun 29 '22 at 13:08
  • Ah right - so the TXT route just assumes that all you want to do with Google is validate the domain. I was just assuming that this page was specific to Google Sites – Zach Smith Jun 30 '22 at 07:13

2 Answers2

5

It is defined at the protocol level that (RFC 2181, 10.1):

An alias name (label of a CNAME record) may, if DNSSEC is in use, have SIG, NXT, and KEY RRs, but may have no other data. That is, for any label in the DNS (any domain name) exactly one of the following is true:

  • one CNAME record exists, optionally accompanied by SIG, NXT, and KEY RRs,
  • one or more records exist, none being CNAME records,
  • the name exists, but has no associated RRs of any type,
  • the name does not exist at all.

If any implementation does something else it is against the protocol.

One way to circumvent this would be adding the TXT record on the target of the CNAME record:

something.example.com. IN CNAME canonical.example.com.
canonical.example.com. IN TXT   "google-site-verification=*****"
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • I'm surprised that something like nsd would go against the protocol... Could you guess why? – Zach Smith Jun 28 '22 at 14:52
  • Sorry - just out of interest, what is the "IN" in each entry? – Zach Smith Jun 28 '22 at 14:53
  • `nsd` is right in refusing CNAME+TXT. `IN` means `INternet` which is the DNS class and basically the only one you will ever see. DNS was invented with other use cases at that time (40 years ago!) that never formalized to the level of `IN` today. – Patrick Mevzek Jun 28 '22 at 14:54
  • In the Google sites the cname target is a google address, so I wouldn't be able to add a txt record there – Zach Smith Jun 28 '22 at 14:54
1

Take a look at RFC 1034 DOMAIN NAMES - CONCEPTS AND FACILITIES, Section 3.6.2

If a CNAME RR is present at a node, no other data should be
present;

and

RFC 1920 Common DNS Operational and Configuration Errors, Section 2.4

A CNAME record is not allowed to coexist with any other data.

There is an exception when DNSSEC is in use (RFC 2181 Clarifications to the DNS Specification, Section 10.1 and RFC 4035 Protocol Modifications for the DNS Security Extensions, Section 2.5).

An alias name (label of a CNAME record) may,
if DNSSEC is in use, have SIG, NXT, and KEY RRs, but may have no
other data.
M. Behrens
  • 306
  • 1
  • 3