[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Apr 17 15:12:22 UTC 2018
> On Apr 17, 2018, at 10:43 AM, Jimmy Hess <mysidia at gmail.com> wrote:
>
> I believe in this example both CNAMEs are invalid, Or don't have
> the meaning you are suggesting, since the alias of another CNAME
> cannot be target of a CNAME record --- the concept of a
> "Loop" doesn't exist,
>
> And also In that DNS software are specifically required to suppress CNAME
> processing on the target, when evaluating the Target of a CNAME, so
>
> A CNAME Can't be a "Loop", again RFC2181 10.1 "There may be only
> one such canonical name for any one alias"
> AND RFC 2065 2.3.5
I'm afraid you're wrong about that. Each qname has at most one
CNAME record (no parallel paths), but the alias target may itself be,
and often is, another alias. For a well-known deep chain, try:
www.paypal.com. CNAME geo.paypal.com.akadns.net.
geo.paypal.com.akadns.net. CNAME hotspot-www.paypal.com.akadns.net.
hotspot-www.paypal.com.akadns.net. CNAME wlb.paypal.com.akadns.net.
wlb.paypal.com.akadns.net. CNAME www.paypal.com.edgekey.net.
www.paypal.com.edgekey.net. CNAME e3694.a.akamaiedge.net.
e3694.a.akamaiedge.net. A 104.123.10.240
--
Viktor.
More information about the dns-operations
mailing list