[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon May 7 03:52:18 UTC 2018
> On Apr 17, 2018, at 3:51 PM, John Levine <johnl at taugh.com> wrote:
>
>> *.frasier.family. IN CNAME \@
>>
>> breaks email delivery to that domain from DANE-enabled Postfix or Exim.
>
> Except that it has no MX and the A record host doesn't respond on port
> 25. It's just broken. Nothing to see here, move along.
So far, googledomains.com is lucky in that regard. A second newly found
domain with the same potential issue also does not appear to accept email:
@ns-cloud-c1.googledomains.com.[216.239.32.108]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37445
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.christianfreear.com. IN TLSA
_25._tcp.christianfreear.com. CNAME \@.christianfreear.com.
\@.christianfreear.com. CNAME \@.christianfreear.com.
christianfreear.com. IN MX ? ; NODATA AD=1
christianfreear.com. IN A 86.184.111.178 ; NoError AD=1
christianfreear.com. IN AAAA ? ; NODATA AD=1
_25._tcp.christianfreear.com. IN TLSA ? ; ServFail AD=0
christianfreear.com[86.184.111.178]: connection timeout
--
Viktor.
More information about the dns-operations
mailing list