About the "CNAME-restart logic" mentioned in https://blog.cloudflare.com/cname-a-record-order-dns-standards/, we have tested mainstream resolver's behaviors in our USENIX Security 2023 paper:
CNAME Chaining: https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf (Section 4.1 and Table 2) Third, we also found that the resolver can select a CNAME record from all > the CNAME records embedded in R (during U pdateQuery) and query the closest server in the cache, but the > implementations differ. BIND, Unbound, MaraDNS, and Simple DNS Plus use the first CNAME record to issue > the following query Q, while Knot Resolver and PowerDNS Recursor use the last CNAME record. > Microsoft DNS selects a random CNAME record to lookup. Xiang Li Nankai University On Wed, Jan 14, 2026 at 11:09 PM Joe Abley via dns-operations < [email protected]> wrote: > > > > ---------- Forwarded message ---------- > From: Joe Abley <[email protected]> > To: Dave Lawrence <[email protected]> > Cc: [email protected], [email protected] > Bcc: > Date: Wed, 14 Jan 2026 16:01:43 +0100 > Subject: Re: [dns-operations] Cloudflare CNAME ordering issue? > Hey, > > On 12 Jan 2026, at 18:20, Joe Abley <[email protected]> wrote: > > On 12 Jan 2026, at 17:00, Dave Lawrence via dns-operations < > [email protected]> wrote: > > Anyone have some examples of what the answers looked like during the > incident? I'm curious about how "the expectations of certain DNS > client implementations" were improper. > > From another article I understood that that the Cisco problem was > they bombed out when they got the answer, but I'd not be inclined to > describe that quite as an issue of their expectations. > > > There will be a Cloudflare bog about this that describes things in some > detail, some time this week I think. > > > Sebastiaan's blog is now up, read it while it's hot: > > https://blog.cloudflare.com/cname-a-record-order-dns-standards/ > > We also took the opportunity to dust off a related old internet-draft from > 2015 and resubmit it, with this operational impact fresh in our minds: > > https://datatracker.ietf.org/doc/draft-jabley-dnsop-ordered-answer-section/ > > > Joe & Sebastiaan > > > > ---------- Forwarded message ---------- > From: Joe Abley via dns-operations <[email protected]> > To: Dave Lawrence <[email protected]> > Cc: [email protected] > Bcc: > Date: Wed, 14 Jan 2026 16:01:43 +0100 > Subject: Re: [dns-operations] Cloudflare CNAME ordering issue? > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
