What came first: the CNAME or the A record?
An update to cache implementation in Cloudflare’s DNS resolver led to DNS resolution failures due to CNAME and A record ordering issues.
DNS clients differ in how they handle the ordering of CNAME and A records in the responses: some expect the CNAME record to be before the A record, while others do not require any specific order. Cloudflare states that their interpretation of the RFC 1034 did not mandate any specific order, leading to the issues when some clients expected CNAME before A record.
They also mention that even if the RFC is interpreted to have CNAMEs before A record, the resolution might still fail if multiple CNAME records are not in the expected order. For example, if the response has:
alias1.example.com CNAME alias2.example.com
example.com CNAME alias1.example.com
alias2.example.com A <IP Address>and the client looks up example.com, it would find the CNAME to alias1.example.com. But if the records are checked sequentially, it would not find the CNAME for alias1.example.com pointing to alias2.example.com after the initial resolution, leading to a failure. This only works if the client resolves CNAMEs recursively rather than relying on the record order.