[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Apr 17 18:03:25 UTC 2018
> On Apr 17, 2018, at 1:23 PM, John Levine <johnl at taugh.com> wrote:
>
>> Yes, I know. On the list of things to discuss with Wietse, but can we
>> rely on all iterative resolvers to do "sufficient" recursion?
>
> Yes. If they don't they are badly broken and the solution is to use
> one that is not broken.
I suspected as much. Will try to get next year's Postfix to drop
internal recursion, which will then no longer "penalize" BIND for
returning the direct loop as a NOERROR.
> In practice, I do not ever remember hearing of a resolver that didn't
> handle a finite CNAME chain. This sounds to me like a problem
> masquerading as a solution in search of a problem.
The Postfix DNS lookup glue dates back to 1997. "The past is a foreign
country, they do things differently there." [1]
--
Viktor.
[1] L.P. Hartley, "The Go-Between".
More information about the dns-operations
mailing list