Score:0

Server

Is there specificity in DNS?

WoJ

6/6/23, 10:55 AM

I own a domain (say, example.com) and wanted to:

automatically update ext.example.com with my public DNS (via a script that will make the update once the ISP-provided IP changes) → this works
redirect the apex domain (example.com) to ext.example.com)
use a wildcard *.example.com to point to ext.example.com

To this I set up the relevant DNS entries as (+ SOA, NS)

           IN DNAME  ext.example.com.
*          IN CNAME  ext.example.com.
ext     60 IN A      350.299.1.1

When querying ext.example.com I get a weird answer: a recursive concatenation of ext

ext.example.com.            3508    IN      CNAME   ext.ext.example.com.
ext.ext.example.com.        3508    IN      CNAME   ext.ext.ext.example.com.
ext.ext.ext.example.com.    3508    IN      CNAME   ext.ext.ext.ext.example.com.
(about 20 such lines in total)

It seems that the match is done on *.example.com (the CNAME) and not ext.example.com (the A record).

Is there a way to force specificity on DNS? (i.e. so that the more specific ext.example.com is provided, instead of the more general wildcard)

0 + 0

networking

domain-name-system

dns-zone

Patrick Mevzek

6/6/23, 7:40 PM

Don't use `DNAME`. It exists, and works, but everyone who tried to use it (`.cat` TLD tried, and `.ngo` too) finally realized it is creating more problems than solutions.

YonzLeon

6/9/23, 4:42 PM

Just use * for your A Record, ext will include to that wildcard configuration :D If you need redirect configuration like HTTP, just do it on Webserver side.

Score:0

Server

WoJ

6/6/23, 11:10 AM

This was due to my lack of understanding of what DNAME is.

I thought it has a function similar to ALIAS- to redirect the apex domain (not possible with CNAME). It does not - it remaps a domain.

Removing it solved the immediate problem but not the general one (how to deal with a naked domain without support for ALIAS)

0 + 0

Moshe Katz

6/6/23, 2:05 PM

You either need to have the naked domain also contain the IP address, or you need to use a DNS provider that "pretends" to allow CNAME records for the naked domain. Effectively, the DNS provider monitors the value of the subdomain A record and copies it to the naked domain wherever it changes.

WoJ

6/6/23, 3:35 PM

@MosheKatz: yes, I think I will write a script to change the records via the DNS provider's API, and run it when the IP changes.

Patrick Mevzek

6/6/23, 7:41 PM

"I thought it has a function similar to ALIAS" Absolutely not. There is no yet standardized way to have "CNAME at apex", so `DNAME` is not the solution for that. The current work in progress that will become a standard, and which is already used by CloudFlare and iOS at least, defines two new DNS records called `SVCB` and `HTTPS` and those will allow the equivalent of CNAME at apex, at least for browsers (it could have worked decades ago with the `SRV` record... that no browsers wanted to support).

Score:0

Server

madacoda

7/3/23, 6:08 AM

Redirecting the Apex of a domain is an age-old DNS limitation that keeps getting more important every year.

Many DNS vendors have their own proprietary solutions to this limitation (Such as AWS or Cloudflare's flattened CNAMEs, or Neustar's ApexAlias record).

But you might be interested to know there is a draft solution to this problem that may be implemented directly into DNS if it gets accepted by the industry at large.

See here for the draft proposal

https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-01

Or for an easier read, see here for a great writeup by Cloudflare

https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns/