[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Tony Finch
dot at dotat.at
Mon Apr 16 10:31:09 UTC 2018
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> When requesting the TLSA records for "frasier.family" I get: [stuff]
>
> The response has a rather odd circular CNAME, and mysteriously
> sends the supporting NSEC3 RR and its signature twice (for good
> measure?).
>
> Anyway the consequence for unbound as the resolver are:
>
> _25._tcp.frasier.family. IN TLSA ? ; ServFail AD=0
I wonder why unbound gets in a tangle - BIND and Knot handle it OK.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
oppose all forms of entrenched privilege and inequality
More information about the dns-operations
mailing list