[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon May 7 03:52:18 UTC 2018

> On Apr 17, 2018, at 3:51 PM, John Levine <johnl at taugh.com> wrote:
>> *.frasier.family. IN CNAME \@
>> breaks email delivery to that domain from DANE-enabled Postfix or Exim.
> Except that it has no MX and the A record host doesn't respond on port
> 25.  It's just broken.  Nothing to see here, move along.

So far, googledomains.com is lucky in that regard.  A second newly found
domain with the same potential issue also does not appear to accept email:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37445
  ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1
  ;_25._tcp.christianfreear.com. IN TLSA
  _25._tcp.christianfreear.com. CNAME \@.christianfreear.com.
  \@.christianfreear.com. CNAME   \@.christianfreear.com.

  christianfreear.com. IN MX ? ; NODATA AD=1
  christianfreear.com. IN A ; NoError AD=1
  christianfreear.com. IN AAAA ? ; NODATA AD=1
  _25._tcp.christianfreear.com. IN TLSA ? ; ServFail AD=0
    christianfreear.com[]: connection timeout


More information about the dns-operations mailing list