When looking up a TXT record, it's pulling back CNAME

[TopCoder02]

If I look up _dmarc.ramrealestate.com with TXT - It pulls back CNAME.

There is a CNAME, but I'm looking for TXT specifically...

https://dnschecker.org/#TXT/_dmarc.ramrealestate.com -- I was expecting results like this.

I know I can filter out the results, just wondering if this is a bug that it pulls back the CNAME - Take an easy on me!

[MichaCo]

CNAME records point to the domain which might hold the actual record you are asking for.
In your case, you asked for a txt record of a domain, but probably all records, like the IP and such are stored under a different domain and your initial domain only points to that.

query for A records of help.microsoft.com. will yield 2 CNAME and one A record atm, so there are 2 levels of pointers until the last one actually has the answer.

A DNS server will always return all records it found while following the CNAME records.
If your answer section then doesn't have an answer to TXT but has a couple of CNAME entries in it, that just means that the server followed the CNAME pointers but the last resolved domain name did not have any TXT records defined.

[TopCoder02]

@MichaCo

I understand what you're saying, but sometimes that doesn't sense depending on the application.

I'm working with IETF RFC Standards, where there is something called order of preference.

Here's a Good Example, there is something called "Sender Policy Framework" or "SPF" every email company. (Yahoo, Gmail, etc) has to evaluate TXT records to see if permission is granted for the email or if it's spoofed.

The rules when it comes to CNAMES is this,

1. Apply Local SPF TXT record first "v=spf1"
2. If there is no local records, and if a CNAME exists, follow the CNAME and look for the SPF record there, this is called "Transitioning"
3. When looking up DMARC or DKIM records, "transitioning or CNAME does apply, it has to be on the base domain, not a CNAME.

If you follow the CNAME and pull back TXT records for email authentication protocols - Then that allows spoofing to take pace.

Maybe an introduction of a flag/option that says "follow cnames" will resolve the issue where people can use the DNS client properly to pull records for authentication purposes. Not just for email but everything else.

[MichaCo]

I'm not sure what you are really asking for here.
But I think you are missing the point that this library, or dns clients in general, do not follow cnames.
This is just the response you get for your request from the dns server.
I'm not doing anything with that response.