[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Apr 17 06:26:08 UTC 2018

> On Apr 17, 2018, at 1:55 AM, Petr Špaček <petr.spacek at nic.cz> wrote:
>> This sadly does not help a DANE client that needs to avoid downgrade
>> attacks, because there's no way to know whether ServFail is because
>> the response is "bogus" or because of the loop.  I'd be reluctant,
>> to assume that data in the answer section implies the latter and
>> not the former...
> Speaking with my Knot Resolver manager hat on, I'm not willing to absorb
> even higher cost (in terms of code complexity) to handle *even more*
> broken domains.

Fair enough.  Bottom line then is that wildcard CNAME loops
and similar data-related breakage that leaks into TLSA lookups
may affect email delivery to the errant domain.  To avoid, don't
publish bad data...


More information about the dns-operations mailing list