Feb 7
1 / 4
Feb 7
15d ago
eworm
18d

Hello everybody,

staring about a month ago I am suffering issues with CNAMES when resolved via 1.1.1.1 DNS server. This is two-fold:

  • sometimes TTL of 0 is returned for CNAME
  • different TTL is returned for CNAME when requesting A or AAAA record

In combination sometimes TTL of zero and non-zero is returned when A and AAAA records are requested simultaneously in one record set.

Please see RFC 2181, Section 5.2. TTLs of RRs in an RRSet 1, which disallows this:

Consequently the use of differing TTLs in an RRSet is hereby deprecated, the TTLs of all RRs in an RRSet must be the same.

This rule has been implemented in systemd's resolved about six years ago:

As a consequence it is no longer possible to use Cloudflare DNS with most Linux distributions. Lots of sites and services are randomly unreachable.

I am not sure this community site is read by admins who are responsible. But I could not find a better place to report this… Hope anybody can fix this.

BTW, I am Arch Linux developer and packaging systemd downstream. Currently we set Cloudflare DNS as first default fallback. That will change if nothing happens any time soon.

Best regards,
Chris

  • created

    18d

  • last reply

    15d
  • 3

    replies

  • 459

    views

  • 2

    users

  • 2

    links

wouterCloudflare Team
17d

Hi eworm,

Thanks for reporting. The issue you are describing regarding the zero TTLs is something we’re aware of and actively working on. Can’t give you an exact ETA but should be fixed relatively soon.

Could you elaborate on the second issue, regarding different TTLs on different types of records? If you look at RFC 2181 - Clarifications to the DNS Specification you’ll see that:

It is however possible for most record types to exist
with the same label, class and type, but with different data. Such a
group of records is hereby defined to be a Resource Record Set
(RRSet)

In other words, an A record and a AAAA record can not co-exist in a single RRset by definition (they would be two RRsets). If you have an example of what you are encountering, that might clear things up.

Best regards,

Wouter

eworm
16d

Hi wouter,

great that the issue with zero TTL is already being worked on. Much appreciated!

About the second issue: Most systems are dual stack these days. So the system’s resolver (and in this case systemd-resolved as part of it) sends two requests to resolve a domain, one for A record and one for AAAA record. If the domain name is a CNAME both records are answered with the same data (another domain name), but (possibly) with a different TTL. Both answers are handled as one RRSet, and different TTLs for the same data are tolerated - unless one is zero and the other non-zero.

The check for this is what I referenced in code in my original post. Not quite sure this is even technically correct. Can one RRSet consist of two queries and answers. I guess Cloudflare sends this through a load balancer and answers come from different nodes, no?

However… The issue will go away when TTL is no longer zero.

Best regards,
Chris

wouterCloudflare Team
15d

Hey eworm,

I think the zero TTL fix will solve these problems. Even if A/AAAA are returned in the same query, they still wouldn’t be in the same RRset and different TTLs would be fine.

A single RRset can only consist of records with the exact same type and name. In that case they all must have the same TTL (as you quoted from the RFC).

Best regards,

Wouter

This topic will close a month after the last reply.