[dns-operations] Cloudflare considered harmful?
Paul Vixie
paul at redbarn.org
Fri Apr 3 01:51:36 UTC 2020
On Thursday, 2 April 2020 23:59:30 UTC Mark Andrews wrote:
> ...
>
> This means there is no push back on operators doing the wrong thing with
> those servers. BIND has refused to load zones with CNAME and other data
> for the last 20+ years so, yes, it can be done. It just requires DNS
> vendors to have the intestinal fortitude to stop loading such zones. I
> hope that when HTTPSSVC is finalised DNS vendors which allow CNAME and
> other data to load will stop doing so, if not before then. HTTPSSVC, in
> most cases, provides a operational replacement for why the CNAME record has
> been installed.
i suggest that if the NSEC or NSEC3 bit mask indicates that both CNAME and any
other type are present, then it should be treated as a bogus condition. in
other words let's not only poison this data pattern at zone load, but also at
validation time.
--
Paul
More information about the dns-operations
mailing list