[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Apr 17 06:26:08 UTC 2018
> On Apr 17, 2018, at 1:55 AM, Petr Špaček <petr.spacek at nic.cz> wrote:
>
>> This sadly does not help a DANE client that needs to avoid downgrade
>> attacks, because there's no way to know whether ServFail is because
>> the response is "bogus" or because of the loop. I'd be reluctant,
>> to assume that data in the answer section implies the latter and
>> not the former...
>
> Speaking with my Knot Resolver manager hat on, I'm not willing to absorb
> even higher cost (in terms of code complexity) to handle *even more*
> broken domains.
Fair enough. Bottom line then is that wildcard CNAME loops
and similar data-related breakage that leaks into TLSA lookups
may affect email delivery to the errant domain. To avoid, don't
publish bad data...
--
Viktor.
More information about the dns-operations
mailing list