[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Apr 17 18:03:25 UTC 2018

> On Apr 17, 2018, at 1:23 PM, John Levine <johnl at taugh.com> wrote:
>> Yes, I know.  On the list of things to discuss with Wietse, but can we
>> rely on all iterative resolvers to do "sufficient" recursion?
> Yes.  If they don't they are badly broken and the solution is to use
> one that is not broken.

I suspected as much.  Will try to get next year's Postfix to drop
internal recursion, which will then no longer "penalize" BIND for
returning the direct loop as a NOERROR.

> In practice, I do not ever remember hearing of a resolver that didn't
> handle a finite CNAME chain.  This sounds to me like a problem
> masquerading as a solution in search of a problem.

The Postfix DNS lookup glue dates back to 1997. "The past is a foreign
country, they do things differently there." [1]


[1] L.P. Hartley, "The Go-Between".

More information about the dns-operations mailing list