Re: CNAME records in place of A records

[Mark Andrews <marka () isc org>]

> On 9 Nov 2020, at 12:01, Rob McEwen <rob () invaluement com> wrote:
>
> On 11/8/2020 7:10 PM, Matt Palmer wrote:
> > On Fri, Nov 06, 2020 at 05:07:26AM -0500, Dovid Bender wrote:
> > > Sorry if this is a bit OT. Recently several different vendors (in
> > > completely different fields) where they white label for us asked us to
> > > remove A records that we have going to them and replace them with CNAME
> > > records. Is there anything *going around* in the security aranea  that has
> > > caused this?
> > The closest thing to a *security* issue I can think of is IP agility in the
> > face of DDoS attacks -- most booter-style attacks are dumb as rocks, and
> > null-routing the target IP and moving all the customers on that IP to
> > another one is the easiest solution.
> >
> > However, there are many *other* great reasons to get customers to CNAME onto
> > their SaaS vendors, including:
> >
> > * No need to coordinate routine renumbering events;
> > * IPv6 support;
> > * CAA record (SSL cert issuance) support; and
> > * no doubt a bunch of other reasons I've forgotten for the moment.
> >
> > Basically, if you sign up for a SaaS that uses your own domain and they
> > *don't* give you a CNAME target to point at, I'd be very cautious, because
> > they're either *very* new to the game, or they're probably also
> > operationally deficient in a lot of other areas, too.
> >
> > - Matt
>
>
> except - don't forget that the root of a domain (that domain without "www.”
> or any other label) - cannot have a CNAME as the "A" record - fwiw…

Which is why there are HTTPS and SVCB records coming and SRV exists.
You don’t need CNAME, you need indirection.  Indirection does require
a small amount of client support.

> -- 
> Rob McEwen, invaluement

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org