[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Apr 16 17:20:19 UTC 2018

> On Apr 16, 2018, at 1:03 PM, John R Levine <johnl at taugh.com> wrote:
> I suppose, but this also seems to me to be a matter of code discipline. CNAME loops can happen any time you do a DNS lookup, so you shouldn't have to code specially for them every time you add a new application.

I agree, but sadly we don't have a CNAMELOOP RCODE.
(In the case of DNSSEC "bogus" would of course trump
"CNAMELOOP" and return ServFail).

Adding such an RCODE at this point would not help much
for quite some time (all the resolver clients would need
to implement support for the new code).

The only realistic option is change resolvers to
return the looping CNAMES (ala BIND) with NOERROR,
and let the application figure it out.  This might
cause more work to be done by a few applications
that generate additional queries to follow CNAMEs
(not common I would expect) until they add code to
detect CNAME loops in the initial reply.


More information about the dns-operations mailing list