[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

John Levine johnl at taugh.com
Mon Apr 16 02:44:03 UTC 2018

In article <31BC63A1-83C3-4034-8EEC-93228D75906C at dukhovni.org> you write:
>When requesting the TLSA records for "frasier.family" I get:

>_25._tcp.frasier.family. CNAME  \@.frasier.family.

There's no TLSA, it's just matching a wildcard at *.frasier.family,
which points to a looping cname at \@.frasier.family.

It's certainly broken but I don't see anything particularly intersting
about it.  I suppose you might want to harden your code to ignore
failures like that since there's a whole lot of parked domains that
don't do TLSA, do have a wildcard for subdomains, and might have a
mail server.  (Although this isn't one of them, no MX and no MTA
listening at the A address.)


More information about the dns-operations mailing list