[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Paul Vixie paul at redbarn.org
Tue Apr 17 20:16:34 UTC 2018

Jeremy Harris wrote:
> On 17/04/18 13:55, Tony Finch wrote:
>> Viktor Dukhovni<ietf-dane at dukhovni.org>  wrote:
>>> The Postfix DNS layer does not look for direct (a ->  a) loops and
>>> recurses when the answer is a CNAME (in case the resolver did not
>>> recurse all the way to the answer).
>> That should be unnecessary - part of the point of a recursive server is it
>> does the work for you
> Exim also.  The coding dates from 1997.

no stub or app should follow a dangling cname. if the RD=1 RA=1 response 
does not begin with the qname and end with an address, then the dns 
lookup should be treated as nodata would have been treated.

sendmail used to walk through the additional section of an MX response 
hoping to find the address without having to make a separate query for 
it. this was eventually seen as silly, since the additional data would 
have been cached. then it was seen as non-silly again, when credibility 
ranking was added, and additional data was cached in a way that made it 
ineligible for anything but additional data. at various times sendmail 
and i think exim did an ANY query, too. bad ideas, all.

P Vixie

More information about the dns-operations mailing list