[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Apr 16 03:52:57 UTC 2018

> On Apr 15, 2018, at 10:44 PM, John Levine <johnl at taugh.com> wrote:
> There's no TLSA, it's just matching a wildcard at *.frasier.family,
> which points to a looping cname at \@.frasier.family.

Yes, I can see there's no TLSA, but my resolver returns ServFail,
and does not provide particularly enlightening details.

> It's certainly broken but I don't see anything particularly intersting
> about it.

Yes, routine, but breaks email delivery from DANE-enabled Postfix.

> I suppose you might want to harden your code to ignore
> failures like that

Unfortunately, it is difficult to read the tea-leaves to tell one
ServFail apart from another.

In fact in surveying 5.86 million DNSSEC-signed domains the number
of similar cases is O(10).  So this is not a widespread issue, but
one that folks on this list might want to be aware of.  When
wildcard CNAMEs loop in signed domains, mail delivery will be adversely


More information about the dns-operations mailing list