[dns-operations] Cloudflare considered harmful?

Paul Vixie paul at redbarn.org
Fri Apr 3 01:51:36 UTC 2020


On Thursday, 2 April 2020 23:59:30 UTC Mark Andrews wrote:
> ...
> 
> This means there is no push back on operators doing the wrong thing with
> those servers.  BIND has refused to load zones with CNAME and other data
> for the last 20+ years so, yes, it can be done.  It just requires DNS
> vendors to have the intestinal fortitude to stop loading such zones.  I
> hope that when HTTPSSVC is finalised DNS vendors which allow CNAME and
> other data to load will stop doing so, if not before then.  HTTPSSVC, in
> most cases, provides a operational replacement for why the CNAME record has
> been installed.

i suggest that if the NSEC or NSEC3 bit mask indicates that both CNAME and any 
other type are present, then it should be treated as a bogus condition. in 
other words let's not only poison this data pattern at zone load, but also at 
validation time.

-- 
Paul




More information about the dns-operations mailing list