[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Paul Vixie
paul at redbarn.org
Tue Apr 17 20:16:34 UTC 2018
Jeremy Harris wrote:
> On 17/04/18 13:55, Tony Finch wrote:
>> Viktor Dukhovni<ietf-dane at dukhovni.org> wrote:
>>> The Postfix DNS layer does not look for direct (a -> a) loops and
>>> recurses when the answer is a CNAME (in case the resolver did not
>>> recurse all the way to the answer).
>> That should be unnecessary - part of the point of a recursive server is it
>> does the work for you
>
> Exim also. The coding dates from 1997.
no stub or app should follow a dangling cname. if the RD=1 RA=1 response
does not begin with the qname and end with an address, then the dns
lookup should be treated as nodata would have been treated.
sendmail used to walk through the additional section of an MX response
hoping to find the address without having to make a separate query for
it. this was eventually seen as silly, since the additional data would
have been cached. then it was seen as non-silly again, when credibility
ranking was added, and additional data was cached in a way that made it
ineligible for anything but additional data. at various times sendmail
and i think exim did an ANY query, too. bad ideas, all.
--
P Vixie
More information about the dns-operations
mailing list