[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Apr 17 15:12:22 UTC 2018

> On Apr 17, 2018, at 10:43 AM, Jimmy Hess <mysidia at gmail.com> wrote:
> I believe in this example  both CNAMEs are invalid,   Or don't  have
> the meaning you are suggesting,   since the alias of another CNAME
> cannot be  target of a CNAME record  ---  the concept of a
> "Loop" doesn't exist,
> And also In that DNS software are specifically required to  suppress CNAME
> processing on the target,  when evaluating the Target of a CNAME,  so
> A CNAME  Can't be a "Loop",  again  RFC2181 10.1    "There may be only
> one such canonical name for any one alias"
> AND    RFC 2065  2.3.5

I'm afraid you're wrong about that.  Each qname has at most one
CNAME record (no parallel paths), but the alias target may itself be,
and often is, another alias.  For a well-known deep chain, try:

  www.paypal.com.                    CNAME   geo.paypal.com.akadns.net.
  geo.paypal.com.akadns.net.         CNAME hotspot-www.paypal.com.akadns.net.
  hotspot-www.paypal.com.akadns.net. CNAME wlb.paypal.com.akadns.net.
  wlb.paypal.com.akadns.net.         CNAME www.paypal.com.edgekey.net.
  www.paypal.com.edgekey.net.        CNAME e3694.a.akamaiedge.net.
  e3694.a.akamaiedge.net.            A


More information about the dns-operations mailing list