[dns-operations] CNAMEs pointing off into the weeds - inconsistent behavior from different recursive codebases

Tony Finch dot at dotat.at
Wed Oct 9 11:48:31 UTC 2019

Rob Seastrom <rs-lists at seastrom.com> wrote:
> I might add that I was slightly surprised that this works - it seems
> unaddressed in the ACME spec but kind of feels like a potential attack
> surface tparticularly since it works even to a non-child,
> non-same-origin (pedantically, not quite "out of baliwick" but YKWIM)
> zone.

Viktor has answered your question, but wrt this point, Let's Encrypt is in
general very happy to follow indirections, whether CNAMEs for dns-01 or
redirects for http-01. RFC 8555 mentions HTTP redirects but not CNAMEs.
Both kinds of aliasing allow for lots of fun games.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Northerly or northeasterly 4 to 6, increasing 7 at times in east.
Rough or very rough. Fair. Good.

More information about the dns-operations mailing list