3

Namecheap seems to let me create a CNAME record on the apex domain, which I thought was contrary to the definition of a CNAME record:

enter image description here

It works (correctly loading up my static site from S3).

Weirdly (and I'm not sure if it's related), there seem to be no name servers registered for this domain: http://dnscheck.pingdom.com/?domain=thereitwas.com&timestamp=1413775781&view=1

Is it just repeatedly looking up the IP address of the target of the record and making an A record to that IP? If so, unless this check is frequent I should probably set it up properly to avoid downtime if my S3 bucket ever changes IP.

Apart from this, is there anything wrong with whatever it may be doing?

tobek
  • 157
  • 5
  • 2
    Please do not downvote this question. `thereitwas.com` has an honest to god CNAME at the apex of the domain and it's understandably confusing. – Andrew B Oct 20 '14 at 13:52
  • @AndrewB thank you for the vote of confidence. In asking and researching this question I've learned a bunch and now know how weird it is, but my registrar let me do it, which led me down the this (wrong) path. – tobek Oct 20 '14 at 18:50

2 Answers2

5

There are some services that offer a special functionality of aliasing in the sense of "we'll publish an regular record (probably A/AAAA in your case) that we regularly look up from a name behind the scenes" that can be used in this kind of situation instead of a CNAME record.

This is not that kind of service, in this case it appears that they are just violating standards by publishing a CNAME record at the zone apex.

This leads to a situation where you have a conflicting set of records at the zone apex.

You have a CNAME record, claiming that this entire name is an alias of whatever name you specified but then you also have some other records (which isn't possible), such as a SOA record. (NS records also appear to be missing, which seems problematic in itself.)

I would say that all bets are off, it's probably largely implementation dependent what will happen to work and what will break but if your goal includes having a reliably available service this is not a good approach.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Thanks, this is informative. For instance it looks like CloudFlare does something similar to the first setup you describe: https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RFC-compliant-support-for-CNAME-at-the-root. I'm still not clear on exactly what might go wrong for my users (who will be accessing a web application through their browsers) but I understand that it's breaking the rules. – tobek Oct 20 '14 at 05:02
  • 1
    Here are some other examples of services with aliasing: [Route53](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values.html#resource-record-sets-values-alias), [DNSimple](http://blog.dnsimple.com/2011/11/introducing-alias-record/), [DnsMadeEasy](http://www.dnsmadeeasy.com/services/aname-records/). – Håkan Lindqvist Oct 20 '14 at 05:18
  • @tobek Part of the problem is that when you violate the spec it's not so easy to predict what will happen in different (resolver server) implementations. – Håkan Lindqvist Oct 20 '14 at 05:33
  • 1
    thanks, makes sense. I suppose one workaround if you can't switch services would be to settle for www, with a CNAME record, and redirect apex to www. – tobek Oct 20 '14 at 05:39
  • 2
    Wow. They actually *are* doing an apex CNAME. I weep bitter tears for the internet. – Andrew B Oct 20 '14 at 13:49
2

I don't see any reason to think that it works. When I query thereitwas.com, I don't get back valid nameservers. I get the CNAME, follow the CNAME, and get Amazon's nameservers. All attempts to get an authoritative result fail for me.

I ran tests with two DNS check tools and they both agree with my results -- DNS for thereitwas.com is broken because the CNAME makes it impossible to find the authoritative nameservers. The check you ran seems to confirm this.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • What I meant when I said that it works is that if you go to thereitwas.com in a browser, the static site served up by S3 loads as if you had gone straight to the S3 host. As far as end-users are concerned, this is all dandy. I understand (having looked into it more) that this violates the spec, but apart from an extra DNS lookup (which would be the case with any normal CNAME), is there anything that will impact users? – tobek Oct 20 '14 at 04:41
  • @tobek If you're satisfied with "it happened to do what I want when I tried it", then fine. But it is not supposed to work, and when I tested it, it did *not* work. I was unable to get authoritative DNS results. – David Schwartz Oct 20 '14 at 04:43
  • I'm satisfied only with "works for 99.999% of users of the service" (in this case an in-browser web application). Your answer hasn't given me any information on how to assess this. It works from every browser and machine I've tried, but that's insufficient assurance. I'm not an expert, so I'm asking you guys. Did the page not load in a web browser for you, or did it fail only when using particular tools? My users will only be accessing the application through a browser. – tobek Oct 20 '14 at 04:55
  • 3
    @tobek You're kind of missing the point. It doesn't make one bit of difference what tools your users use. Their browser is going to ask some DNS server to resolve your domain name to an IP address. That DNS server could be using any software. – David Schwartz Oct 20 '14 at 05:26
  • thanks, that's more helpful. So there may be DNS servers out there that can't handle this, which of course will impact end-users. As a side note, it seems like you've either forgotten what knowledge may not be available to beginners, or have a bit of an attitude problem. Either way: go easy. – tobek Oct 20 '14 at 05:35
  • @tobek I tried to get an authoritative response and could not get one. Testing tools were unable to get one either. It happened to work when you tried it. The rules specifically prohibit it. Either you're happy with that or you're not. If you're looking for some kind of guarantee, you're not going to get it. It's not supposed to work. – David Schwartz Oct 20 '14 at 05:54