CNAME records in place of A records

Rob McEwen rob at
Mon Nov 9 01:01:12 UTC 2020

On 11/8/2020 7:10 PM, Matt Palmer wrote:
> On Fri, Nov 06, 2020 at 05:07:26AM -0500, Dovid Bender wrote:
>> Sorry if this is a bit OT. Recently several different vendors (in
>> completely different fields) where they white label for us asked us to
>> remove A records that we have going to them and replace them with CNAME
>> records. Is there anything *going around* in the security aranea  that has
>> caused this?
> The closest thing to a *security* issue I can think of is IP agility in the
> face of DDoS attacks -- most booter-style attacks are dumb as rocks, and
> null-routing the target IP and moving all the customers on that IP to
> another one is the easiest solution.
> However, there are many *other* great reasons to get customers to CNAME onto
> their SaaS vendors, including:
> * No need to coordinate routine renumbering events;
> * IPv6 support;
> * CAA record (SSL cert issuance) support; and
> * no doubt a bunch of other reasons I've forgotten for the moment.
> Basically, if you sign up for a SaaS that uses your own domain and they
> *don't* give you a CNAME target to point at, I'd be very cautious, because
> they're either *very* new to the game, or they're probably also
> operationally deficient in a lot of other areas, too.
> - Matt

except - don't forget that the root of a domain (that domain without 
"www." or any other label) - cannot have a CNAME as the "A" record - fwiw...

Rob McEwen, invaluement

More information about the NANOG mailing list