[dns-operations] CNAMEs pointing off into the weeds - inconsistent behavior from different recursive codebases
dot at dotat.at
Wed Oct 9 11:48:31 UTC 2019
Rob Seastrom <rs-lists at seastrom.com> wrote:
> I might add that I was slightly surprised that this works - it seems
> unaddressed in the ACME spec but kind of feels like a potential attack
> surface tparticularly since it works even to a non-child,
> non-same-origin (pedantically, not quite "out of baliwick" but YKWIM)
Viktor has answered your question, but wrt this point, Let's Encrypt is in
general very happy to follow indirections, whether CNAMEs for dns-01 or
redirects for http-01. RFC 8555 mentions HTTP redirects but not CNAMEs.
Both kinds of aliasing allow for lots of fun games.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Northerly or northeasterly 4 to 6, increasing 7 at times in east.
Rough or very rough. Fair. Good.
More information about the dns-operations