[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Mark Andrews marka at isc.org
Tue Apr 17 07:02:58 UTC 2018


And report broken zones / servers to the operators / owners of the zones. 

It would be useful if dnssec checkers added a NSID option to the queries they make so that servers that mishandle EDNS options are flagged as bad.  DNSSEC validators do issues queries with EDNS option present and when they say the response are good we then have a to go and explain that the tester doesn’t match reality. 



-- 
Mark Andrews

> On 17 Apr 2018, at 16:26, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> 
> 
>>> On Apr 17, 2018, at 1:55 AM, Petr Špaček <petr.spacek at nic.cz> wrote:
>>> 
>>> This sadly does not help a DANE client that needs to avoid downgrade
>>> attacks, because there's no way to know whether ServFail is because
>>> the response is "bogus" or because of the loop.  I'd be reluctant,
>>> to assume that data in the answer section implies the latter and
>>> not the former...
>> 
>> Speaking with my Knot Resolver manager hat on, I'm not willing to absorb
>> even higher cost (in terms of code complexity) to handle *even more*
>> broken domains.
> 
> Fair enough.  Bottom line then is that wildcard CNAME loops
> and similar data-related breakage that leaks into TLSA lookups
> may affect email delivery to the errant domain.  To avoid, don't
> publish bad data...
> 
> -- 
>    Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list