On Thursday, 2 April 2020 23:59:30 UTC Mark Andrews wrote: > ... > > This means there is no push back on operators doing the wrong thing with > those servers. BIND has refused to load zones with CNAME and other data > for the last 20+ years so, yes, it can be done. It just requires DNS > vendors to have the intestinal fortitude to stop loading such zones. I > hope that when HTTPSSVC is finalised DNS vendors which allow CNAME and > other data to load will stop doing so, if not before then. HTTPSSVC, in > most cases, provides a operational replacement for why the CNAME record has > been installed.
i suggest that if the NSEC or NSEC3 bit mask indicates that both CNAME and any other type are present, then it should be treated as a bogus condition. in other words let's not only poison this data pattern at zone load, but also at validation time. -- Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
