[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
johnl at taugh.com
Mon Apr 16 02:44:03 UTC 2018
In article <31BC63A1-83C3-4034-8EEC-93228D75906C at dukhovni.org> you write:
>When requesting the TLSA records for "frasier.family" I get:
>_25._tcp.frasier.family. CNAME \@.frasier.family.
There's no TLSA, it's just matching a wildcard at *.frasier.family,
which points to a looping cname at \@.frasier.family.
It's certainly broken but I don't see anything particularly intersting
about it. I suppose you might want to harden your code to ignore
failures like that since there's a whole lot of parked domains that
don't do TLSA, do have a wildcard for subdomains, and might have a
mail server. (Although this isn't one of them, no MX and no MTA
listening at the A address.)
More information about the dns-operations