[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)
ietf-dane at dukhovni.org
Mon May 7 03:52:18 UTC 2018
> On Apr 17, 2018, at 3:51 PM, John Levine <johnl at taugh.com> wrote:
>> *.frasier.family. IN CNAME \@
>> breaks email delivery to that domain from DANE-enabled Postfix or Exim.
> Except that it has no MX and the A record host doesn't respond on port
> 25. It's just broken. Nothing to see here, move along.
So far, googledomains.com is lucky in that regard. A second newly found
domain with the same potential issue also does not appear to accept email:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37445
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.christianfreear.com. IN TLSA
_25._tcp.christianfreear.com. CNAME \@.christianfreear.com.
\@.christianfreear.com. CNAME \@.christianfreear.com.
christianfreear.com. IN MX ? ; NODATA AD=1
christianfreear.com. IN A 188.8.131.52 ; NoError AD=1
christianfreear.com. IN AAAA ? ; NODATA AD=1
_25._tcp.christianfreear.com. IN TLSA ? ; ServFail AD=0
christianfreear.com[184.108.40.206]: connection timeout
More information about the dns-operations