DNS Naming clash between TXT Record and CNAME/A-Record

Question

I observed an unexpected behavior in the usage of Azure DNS Zones.

I have the following DNS Records:

_acme_challenge.<mysubdomain1>  IN TXT   -> any value
*                               IN CNAME -> <mysubdomain2>.<mydomain>.com
<mysubdomain2>                  IN A     -> <myIPaddress>

If I am doing now a nslookup to: <mysubdomain1>.<mydomain>.com, I would expect to get a valid response for: myIPaddress. But the TXT record is blocking the resolution. After removing the TXT-Entry, I receive the expected result.

Do you know if this behavior is right? For me it seems wrong. But it is not really clear, if it works as expected and on purpose.

There is already a discussion about the exact same topic: https://github.com/cert-manager/cert-manager/issues/806, but not with a meaningful final result.

Hope you can help! Thanks

Looks like this is the problem in the Azure DNS implementation. If so, your only option is to not use Azure DNS. — Nikita Kipriyanov, Sep 02 '22 at 14:34

score 3 · Accepted Answer · answered Sep 03 '22 at 09:45

This is actually expected behaviour.

RFC1034 has this information:

Wildcard RRs do not apply:

When the query is in another zone. That is, delegation cancels the wildcard defaults.

When the query name or a name between the wildcard domain and the query name is know to exist. For example, if a wildcard RR has an owner name of "*.X", and the zone also contains RRs attached to B.X, the wildcards would apply to queries for name Z.X (presuming there is no explicit information for Z.X), but not to B.X, A.B.X, or X.

and this is the second bullet at play here. Your LetsEncrypt challenge record:

_acme_challenge.<mysubdomain1>  IN TXT   -> any value

introduced a name <mysubdomain1> and this cancelled the wildcard. What you need is:

<mysubdomain1>                  IN CNAME -> <mysubdomain2>.<mydomain>.com

as @gapsf suggested (you may have it in addition to existing wildard record).

thanks for your reply. You are right. I figured out, that in RFC4592 Chapter: 2.2.3 https://www.rfc-editor.org/rfc/rfc4592 you message is confirmend. It clarifies more in detail, when a wildcard `exists` — Norbert Koch, Sep 05 '22 at 07:00

gapsf · Answer 2 · 2022-09-05T09:37:10.553

Try

_acme_challenge.<mysubdomain1>  IN TXT   -> any value
<mysubdomain1>                  IN CNAME -> <mysubdomain2>.<mydomain>.com
<mysubdomain2>                  IN A     -> <myIPaddress>

How it works.

Such behavior is expected and not Azure-specific.

Order of RRs is irrelevant.

With your configuration

_acme_challenge.<mysubdomain1>  IN TXT   -> bla-bla-bla
*                               IN CNAME -> <mysubdomain2>.<mydomain>.com
<mysubdomain2>                  IN A     -> <myIPaddress>

query A _acme_challenge.mysubdomain1.mydomain.com returns nothing because there is no A RR for _acme_challenge.mysubdomain1.mydomain.com
query TXT _acme_challenge.mysubdomain1.mydomain.com returns bla-bla-bla
query A mysubdomain1.mydomain.com returns nothing because RR for mysubdomain1.mydomain.com exists (it is _acme_challenge.mysubdomain1.mydomain.com)
query A mysubdomain2.mydomain.com returns myIPaddress
query A **anything_you_want**.mydomain.com returns CNAME mysubdomain2.mydomain.com because wildcard *.mydomain.com CNAME exists.

Better avoid wildcards.

DNS Naming clash between TXT Record and CNAME/A-Record

2 Answers2