[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Randy Bush randy at psg.com
Mon Apr 16 17:26:07 UTC 2018

>>> It's certainly broken but I don't see anything particularly intersting
>>> about it.
>> you don't understand the goal.  i figure that, if viktor is getting a
>> nickel for every dns ops problem he finds, he is gonna be a very rich
>> man.  :)
>> features, complexity, mops, ...; we're making a mess.  if we could
>> measure breakage, i suspect db/dt would be worrisome.
> I suppose, but this also seems to me to be a matter of code
> discipline.  CNAME loops can happen any time you do a DNS lookup, so
> you shouldn't have to code specially for them every time you add a new
> application.

that's *this* case.  i was up a few thousand meters, speaking to the
number of cases.

as to code discipline, perhaps think about the difference between C,
everyone's favorite assembly language, and the families of languages
which are designed with safety (among other things) in mind.

the dns is the cf gift which just keeps on giving and giving.  instead
of more features, we might think about how to make it more rigorous and
safe to deploy, configure, ...


More information about the dns-operations mailing list