[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Petr Špaček petr.spacek at nic.cz
Tue Apr 17 05:55:43 UTC 2018

On 16.4.2018 20:04, Viktor Dukhovni wrote:
>> On Apr 16, 2018, at 1:36 PM, John Levine <johnl at taugh.com> wrote:
>>,, and all return SERVFAIL
>> helpfully puts the looping CNAME in the answer section.
> This sadly does not help a DANE client that needs to avoid downgrade
> attacks, because there's no way to know whether ServFail is because
> the response is "bogus" or because of the loop.  I'd be reluctant,
> to assume that data in the answer section implies the latter and
> not the former...

Speaking with my Knot Resolver manager hat on, I'm not willing to absorb
even higher cost (in terms of code complexity) to handle *even more*
broken domains.

The DNS history already shown us that breakage is not going to be fixed
if nobody feels pain, so exposing breakage in DNS to upper layers is the
only way to get things fixed.

This is consistent with our coordinated effort to stop workarounding
EDNS incompatibilities, details can be found here:


Petr Špaček  @  CZ.NIC

More information about the dns-operations mailing list