A record of domain name must be name server ?

Kevin Darcy kcd at chrysler.com
Thu Sep 11 16:53:33 UTC 2014


On 9/11/2014 12:08 PM, Matus UHLAR - fantomas wrote:
>> On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote:
>>> On 10.09.14 18:13, Kevin Darcy wrote:
>>>> No, what I'm saying is that if
>>>>
>>>> example.com owns an A record 203.0.113.48, and
>>>> www.example.com owns an A record 203.0.113.48, then
>>>>
>>>> where does 48.113.0.203.in-addr.arpa point?
>>>
>>> Completely your decision.
>>>> Some people will point it at example.com, some will point it at 
>>>> www.example.com. What you get is a mish-mosh. No consistency.
>>>
>>> Do not mix multiple A and PTR. they are just different things.
>>> You are creating issues where there are none.
>
> On 11.09.14 11:20, Kevin Darcy wrote:
>> The issue is consistency. If you give admins choices where to point a 
>> PTR, and the RFCs don't provide any clear guidance, you're going to 
>> get inconsistent results.
>
> sorry, but again - you are searching for consistency somewhere, where no
> consistency (nor a PTR) is required.
>
>> Consistency is a good thing, isn't it? Sure, the earth isn't going to 
>> fall off its axis of rotation just because of the way people point 
>> their A and PTR records, CNAME or don't CNAME. But if we can nudge 
>> people in the direction of consistency, and there is no downside, why 
>> wouldn't we do that? That's what "best practices" are all about -- 
>> impelling people towards processes/methods/conventions that 
>> ultimately benefit *everyone*. Greatest good for the greatest number, 
>> and all that.
>
> I haven't met a case where this level of "consistency" would be needed.
Needed? Is that where you're setting the bar here? A little too high, 
I'd say. My point is that consistency is a good thing, and the "CNAME to 
@" practice helps to foster that. Whether it's *needed* would be a whole 
other question. Somewhere between "necessary" and (what Alan called) 
"preferences" are these things called recommendations or best practices.


> I have met a case where the "only one A should point to an IP" caused
> troubles.
Well, sure. Some names, such as zone-apex names, *cannot* own CNAME 
records. If example1.com and example2.com need to resolve to the same 
IP, then, and assuming they are both zone-apex names, you're going to 
have multiple As with the same RDATA, and a reverse-record ambiguity. 
That's unavoidable. All I'm saying, is that in the normal case, where 
you have an option, "CNAME to @" makes a lot of sense and should be 
followed.
>
> your argument fails immediately when there's need for more than just A on
> www.example.com
If the RDATA needs to be *different* between "www" and apex, or the 
application/subsystem which accesses the resource makes a distinction 
between canonical names and aliases, sure. I'm not laying down a 
hard-and-fast rule. Of course there will be exceptions, where the 
higher-level protocols or the user requirements demand it.
>
>> (Yes, I'm aware that there was a proposal recently discussed on the 
>> DNSOP list for an MX-target convention to denote "no mail service 
>> offered here". That would presumably solve the problem I cited in the 
>> previous paragraph. But AFAIK that proposal is many years away from 
>> widespread adoption, and even if adopted, it puts an extra burden on 
>> the DNS admins to populate the "no service" MX record, which, again, 
>> is going to produce inconsistent results -- some admins will remember 
>> to do it; many won't).
>
> ... and this is just example of it.
An example of what? Of what bad things can happen when (semi-)important 
things are left to mere "preference"?
>
>>> The same applies for all other RRs for exmaple.com Alan named crap.
>>>
>> Actually, the only other RR type that Alan enumerated specifically 
>> was NS, which operates on entirely different principles, and serves a 
>> significantly different function, than MX-based mail routing. Who 
>> would be looking up www.example.com with QTYPE=NS? Is that even a 
>> plausible use-case scenario?
>
> well, me and Alan have shown examples why "www CNAME @" is not a good 
> idea.
Alan's concern was that the "www" name could get associated with record 
types that the DNS admin might not have expected. This is not a problem 
for a competent admin, who will have realistic expectations and an 
understanding of CNAME mechanics. You raised the possibility that a mail 
server might reject messages sent erroneously to "www" and I responded 
that if it's going to fail anyway, at least that failure mode is better 
than a mail server trying to deliver mail to a web server (which is what 
happens in the same scenario when "www" is an independent A record).

You got anything else?

> we both also said it's personal preference.
And I'm saying that's a cop-out. It should be a recommended practice -- 
except where there are special mitigating circumstances which make it 
inappropriate or unworkable -- not merely a "preference". Hair styles 
and musical genres are "preferences"; encouraging consistent 
forward/reverse mappings is something that all DNS admins have a stake 
in, whether they realize it or not.

>
>> What other RR types do you have in mind? 
>
> Does it matter at all? It _may_ happen, and it's the case where CNAME is
> not usable
It's not usable where it's not usable, of course. But, where it *is* 
usable, I'm just saying it's recommended, in order to prevent 
reverse-record ambiguity, and to reduce maintenance in the event that 
the IP address changes. Did you seriously think I'd recommend something 
that *doesn't*work*? Please, give me a little more credit than that.

         - Kevin


More information about the bind-users mailing list