CNAME records are supposed to be singletons. If we want to specify anything it should be to reject answers with multiple CNAME records with the same owner name, however this is the wrong draft to do that.
> On 15 Jan 2026, at 12:06, X L <[email protected]> wrote: > > Hi Joe, > > About the "CNAME-restart logic" mentioned in > https://blog.cloudflare.com/cname-a-record-order-dns-standards/, > we have tested mainstream resolver's behaviors in our USENIX Security 2023 > paper. > There could be mutiple CNAME records for one qname. Different resolvers have > unique processing logic when doing the CNAME chaining (CNAME-restart you > called). > > CNAME Chaining: > https://www.usenix.org/system/files/usenixsecurity23-li-xiang.pdf > (Section 4.1 and Table 2) > > Third, we also found that the resolver can select a CNAME record from all the > CNAME records embedded in R (during U pdateQuery) and query the closest > server in the cache, but the implementations differ. BIND, Unbound, MaraDNS, > and Simple DNS Plus use the first CNAME record to issue the following query > Q, while Knot Resolver and PowerDNS Recursor use the last CNAME record. > Microsoft DNS selects a random CNAME record to lookup. > > Xiang Li > Nankai University > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
