[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Apr 16 18:04:28 UTC 2018

> On Apr 16, 2018, at 1:36 PM, John Levine <johnl at taugh.com> wrote:
>,, and all return SERVFAIL
> helpfully puts the looping CNAME in the answer section.

This sadly does not help a DANE client that needs to avoid downgrade
attacks, because there's no way to know whether ServFail is because
the response is "bogus" or because of the loop.  I'd be reluctant,
to assume that data in the answer section implies the latter and
not the former...


More information about the dns-operations mailing list