[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Apr 16 03:52:57 UTC 2018
> On Apr 15, 2018, at 10:44 PM, John Levine <johnl at taugh.com> wrote:
>
> There's no TLSA, it's just matching a wildcard at *.frasier.family,
> which points to a looping cname at \@.frasier.family.
Yes, I can see there's no TLSA, but my resolver returns ServFail,
and does not provide particularly enlightening details.
> It's certainly broken but I don't see anything particularly intersting
> about it.
Yes, routine, but breaks email delivery from DANE-enabled Postfix.
> I suppose you might want to harden your code to ignore
> failures like that
Unfortunately, it is difficult to read the tea-leaves to tell one
ServFail apart from another.
In fact in surveying 5.86 million DNSSEC-signed domains the number
of similar cases is O(10). So this is not a widespread issue, but
one that folks on this list might want to be aware of. When
wildcard CNAMEs loop in signed domains, mail delivery will be adversely
affected.
--
Viktor.
More information about the dns-operations
mailing list