[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Tony Finch dot at dotat.at
Mon Apr 16 10:31:09 UTC 2018

Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:

> When requesting the TLSA records for "frasier.family" I get: [stuff]
> The response has a rather odd circular CNAME, and mysteriously
> sends the supporting NSEC3 RR and its signature twice (for good
> measure?).
> Anyway the consequence for unbound as the resolver are:
>   _25._tcp.frasier.family. IN TLSA ? ; ServFail AD=0

I wonder why unbound gets in a tangle - BIND and Knot handle it OK.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
oppose all forms of entrenched privilege and inequality

More information about the dns-operations mailing list