Facebook and DNS - not friends

It's a maexotic world ...

Facebook failDNS is a core technology of the Internet since 1987, when P. Mockapetris published RFC 1024: "Domain Names - Concepts and Facilities". DNS-Servers all over the Internet translate names to addresses, serve Mail eXchanger information, LOCation data and - amongst others - since 2000 there is RFC 2782: "A DNS RR for specifying the location of services (DNS SRV)".

In February 2010 Facebook opened up their WebChat via XMPP so you can have it in your instant messaging client. XMPP uses DNS SRV RRs to find servers. If your XMPP account is joe@im.example.com (yes, it looks like an email address) clients would query the DNS for a SRV RR of


and the answer would either be NXDOMAIN, if no such service / resource record exists or something like

_xmpp-client._tcp.im.example.com.  300  IN  SRV  100  100  5222  chatserver.example.com.

The client would then connect to the host chatserver.example.com on port 5222. If no SRV records exists the client would try im.example.com as a host and the default port 5222.
Zillions of XMPP servers all over the Internet work that way.

Now let's take a look at Facebook. All chat addresses have the form user@chat.facebook.com (as mentioned on "Facebook Chat. Everywhere"). So, clients do a DNS SRV lookup for chat.facebook.com:

$ dig _xmpp-client._tcp.chat.facebook.com. srv
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34540
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
_xmpp-client._tcp.chat.facebook.com. 30	IN CNAME chat.facebook.com.

Woopsie! A NOERROR response with an answer type (CNAME) undefined for a SRV query. And it doesn't even make sense, either.
Using a different DNS cache server (BIND instead of djbdns) even gives:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50544

I guess most clients can handle that, at least pidgin can. Nevertheless it is another example how Facebook is messing up their DNS and also their chat. And I thought it couldn't get worse as their XMPP server don't support SSL/TLS for secure communication.

★ Oh, for a pro! ★