[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Apr 16 14:14:31 UTC 2018
> On Apr 16, 2018, at 6:31 AM, Tony Finch <dot at dotat.at> wrote:
>
>> Anyway the consequence for unbound as the resolver are:
>>
>> _25._tcp.frasier.family. IN TLSA ? ; ServFail AD=0
>
> I wonder why unbound gets in a tangle - BIND and Knot handle it OK.
I guess unbound does not like looping CNAME records:
$ dig -t tlsa _25._tcp.frasier.family
; <<>> DiG 9.11.2-P1 <<>> -t tlsa _25._tcp.frasier.family
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17883
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;_25._tcp.frasier.family. IN TLSA
;; Query time: 519 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 16 10:13:28 EDT 2018
;; MSG SIZE rcvd: 52
--
Viktor.
More information about the dns-operations
mailing list