Symptoms
On a cPanel server running PowerDNS, a user may replace the domain's apex A record with a CNAME record or convert the A record to a CNAME record.
; cPanel first:102.0.18 (update_time):1728389782 Cpanel::ZoneFile::VERSION:1.3 hostname:server.hostname.tls latest:122.0.17
; Zone file for domain.tld
$TTL 3600
domain.tld. 86400 IN SOA ns1.hostname.tld. admin.hostname.tld. 2024100803 86400 7200 2419200 3600
domain.tld. 86400 IN NS ns1.hostname.tld.
domain.tld. 86400 IN NS ns2.hostname.tld.
domain.tld. 3600 IN CNAME somehost.tld.
Description
By default, CNAME records cannot exist in the zone apex as the zone apex must contain the SOA record (RFC 1034 section 4.2.1) and CNAME records cannot exist at a node with any other record (RFC 1034 section 3.6.2,). This is referred to as "Alias records."
Though they are disabled by default, it is possible to configure PowerDNS to allow Alias records. If this functionality is not desired, you can undo the changes to disallow the Alias records.
Workaround
- Access your server using SSH as the root user.
-
Move or delete the touch file from the following location:
rm -v /etc/pdns/danger-danger-danger-server-owners-understand-the-severe-risk-and-accept-responsibility-for-any-consequences-of-using-experimental-alias-records -
Using your preferred text editor, open the PowerDNS config file at /etc/pdns/pdns.conf and remove the following lines:
expand-alias=yes resolver=192.0.2.3 -
Save the file and restart the pdns service:
/scripts/restartsrv_pdns
