[Pdns-users] Wrong A-Record is retuned for CNAME that can not be resolved to A

frank+pdns at tembo.be frank+pdns at tembo.be
Thu Sep 26 10:27:10 UTC 2019

Hi Kevin,

> ===========>% ===========
> C:\Users\kolbrich>nslookup -q=CNAME _91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de <http://91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de/>.
> Server:  dns.google <http://dns.google/>
> Address:
> Nicht autorisierende Antwort:
> _91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de <http://91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de/>        canonical name = _c09668a36b3b6665549a795863f30b9b.olprtlswtu.acm-validations.aws

> My NS has a catch-all zone using "." including SOA to be authoritative for all new domains that do not yet have a zone (async processing).
> This allows us to be responsive for zones we actually did not yet create or have not been replicated.

> It's seems, that AWS uses the same authoritative NS to resolv it's own CNAME (which does not resolve at all in public):

I doubt that’s the problem (and note that acm-validations.aws is a valid domain name and points to AWS).

I believe the problem might be here:

~ ❯❯❯ dig SOA expose.graf-borstar.de <http://expose.graf-borstar.de/>

; <<>> DiG 9.10.6 <<>> SOA expose.graf-borstar.de <http://expose.graf-borstar.de/>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58518
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1280
;expose.graf-borstar.de <http://expose.graf-borstar.de/>.		IN	SOA

expose.graf-borstar.de <http://expose.graf-borstar.de/>.	3593	IN	CNAME	fae31f3b-08a0-4b3c-8767-7f1b1baec2af.iexendpoints.de <http://fae31f3b-08a0-4b3c-8767-7f1b1baec2af.iexendpoints.de/>.

iexendpoints.de <http://iexendpoints.de/>.	293	IN	SOA	ns-660.awsdns-18.net <http://ns-660.awsdns-18.net/>. awsdns-hostmaster.amazon.com <http://awsdns-hostmaster.amazon.com/>. 1 7200 900 1209600 86400

;; Query time: 19 msec
;; WHEN: Thu Sep 26 12:20:56 CEST 2019
;; MSG SIZE  rcvd: 199

You have a CNAME in place for expose.graf-borstar.de <http://expose.graf-borstar.de/>. Does that belong there? This might cause issues.

Could you also clarify the problem you are having? It’s not 100% clear to me at this point. 

Kind Regards,

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190926/88992d81/attachment.htm>

More information about the Pdns-users mailing list