Must the authoritative DNS server for a domain allow recursion to allow CNAME records pointing to other domains?

So I've got a domain registered with Dreamhost, which apparently does not do recursive lookups, and an app on Heroku. Heroku apps are always configured to use a CNAME record to proxy.heroku.com.

So:

Authoritative DNS:  ns1.dreamhost.com (for foo.com)

CNAME record:       app.foo.com -> proxy.heroku.com

Resolves to:        Set of A records for EC2 IPs

I've been told by some folks trying to connect to the app from behind a Windows Server 2003 DNS Server that it handles SERVFAIL differently and cannot resolve the DNS. I'm trying to understand if this is truly a configuration issue on my side or theirs, notably, per the title:

Must the authoritative DNS server for a domain be recursive to allow CNAME records pointing to other domains?

Solution 1:

No you don't need to have recursion on for authoritative DNS servers. Depending on who you ask it's even considered good practice that (if possible) your authoritative server not be recursive as it's a line of defence against some DoS attacks. (Cisco's document is here for example)

A sample from my domain is below (Server is running Bind 9 and is non-recursive).

; <<>> DiG 9.5.1-P3 <<>> mail.<snip> @<my authoritative master>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;mail.<snip>.       IN  A

;; ANSWER SECTION:
mail.<snip>.        86400   IN  CNAME   ghs.google.com.
ghs.google.com.     158151  IN  CNAME   ghs.l.google.com.
ghs.l.google.com.   33    IN  A       74.125.47.121

;; AUTHORITY SECTION:
google.com.     153556  IN  NS  ns4.google.com.
google.com.     153556  IN  NS  ns2.google.com.
google.com.     153556  IN  NS  ns3.google.com.
google.com.     153556  IN  NS  ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.     169823  IN  A   216.239.32.10
ns2.google.com.     169823  IN  A   216.239.34.10
ns3.google.com.     169823  IN  A   216.239.36.10
ns4.google.com.     169823  IN  A   216.239.38.10

It sounds more like a DNS misconfiguration at the Windows 2003 DNS than anything else.

Solution 2:

Authoritative servers should NOT be configured to offer recursive service. Not even to work around a potential Microsoft bug.

I can't quote chapter and verse at the moment (if I find it I'll update). However this is very much the accepted "best common practise" for operation of DNS servers.

If some resolver in your lookup chain is returning SERVFAIL then that simply indicates a misconfiguration somewhere or that you're asking the wrong question (or the right question with the wrong flags).

In your case, the dreamhost.com servers return SERVFAIL if you ask for a recursive answer (which happens to be what nslookup does by default). They're perfectly entitled to do that, they're authoritative servers, not recursive.

On my system, if I use dig instead and specifically disable recursion I get:

% dig +norecurse @ns1.dreamhost.com mail.scotchi.net.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec @ns1.dreamhost.com mail.scotchi.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54426
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;mail.scotchi.net.  IN A

;; ANSWER SECTION:
mail.scotchi.net. 14400 IN CNAME ghs.google.com.