[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Apr 16 03:52:57 UTC 2018



> On Apr 15, 2018, at 10:44 PM, John Levine <johnl at taugh.com> wrote:
> 
> There's no TLSA, it's just matching a wildcard at *.frasier.family,
> which points to a looping cname at \@.frasier.family.

Yes, I can see there's no TLSA, but my resolver returns ServFail,
and does not provide particularly enlightening details.

> It's certainly broken but I don't see anything particularly intersting
> about it.

Yes, routine, but breaks email delivery from DANE-enabled Postfix.

> I suppose you might want to harden your code to ignore
> failures like that

Unfortunately, it is difficult to read the tea-leaves to tell one
ServFail apart from another.

In fact in surveying 5.86 million DNSSEC-signed domains the number
of similar cases is O(10).  So this is not a widespread issue, but
one that folks on this list might want to be aware of.  When
wildcard CNAMEs loop in signed domains, mail delivery will be adversely
affected.

-- 
	Viktor.




More information about the dns-operations mailing list