Mark Andrews <marka@isc.org> writes:
It shouldn’t matter. Only non-rfc-compliant servers allow A and CNAME to co-exist at the same name. That combination was prohibited by RFC 1034.
Right. Thanks. I confused myself multiple times here ;-) The issue seems to be that the cloudflare servers takes a shortcut and convert the CNAME to A, dropping the intermediate CNAME. That's obviously not OK. So it looks correct when you do: bjorn@miraculix:/tmp$ dig CNAME login.authorize.net @ns0210.secondary.cloudflare.com ; <<>> DiG 9.16.13-Debian <<>> CNAME login.authorize.net @ns0210.secondary.cloudflare.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52372 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;login.authorize.net. IN CNAME ;; ANSWER SECTION: login.authorize.net. 300 IN CNAME login.authorize.net.cdn.cloudflare.net. ;; Query time: 28 msec ;; SERVER: 162.159.33.85#53(162.159.33.85) ;; WHEN: Wed Apr 07 10:01:23 CEST 2021 ;; MSG SIZE rcvd: 97 bjorn@miraculix:/tmp$ dig A login.authorize.net.cdn.cloudflare.net @ns0210.secondary.cloudflare.com ; <<>> DiG 9.16.13-Debian <<>> A login.authorize.net.cdn.cloudflare.net @ns0210.secondary.cloudflare.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54740 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;login.authorize.net.cdn.cloudflare.net. IN A ;; ANSWER SECTION: login.authorize.net.cdn.cloudflare.net. 300 IN A 104.18.8.127 login.authorize.net.cdn.cloudflare.net. 300 IN A 104.18.9.127 ;; Query time: 28 msec ;; SERVER: 162.159.33.85#53(162.159.33.85) ;; WHEN: Wed Apr 07 10:01:41 CEST 2021 ;; MSG SIZE rcvd: 99 But not when you query for A directly: bjorn@miraculix:/tmp$ dig A login.authorize.net @ns0210.secondary.cloudflare.com ; <<>> DiG 9.16.13-Debian <<>> A login.authorize.net @ns0210.secondary.cloudflare.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26197 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;login.authorize.net. IN A ;; ANSWER SECTION: login.authorize.net. 300 IN A 104.18.9.127 login.authorize.net. 300 IN A 104.18.8.127 ;; Query time: 24 msec ;; SERVER: 162.159.33.85#53(162.159.33.85) ;; WHEN: Wed Apr 07 10:02:25 CEST 2021 ;; MSG SIZE rcvd: 80 So a Cloudflare bug. Bjørn