On Tue, Jan 13, 2015 at 10:08:00PM -0800, Paul Vixie wrote: > you've left the box i thought we were standing in. CNAME chains are > already returned by authorities, if in your above example, the alias and > the canonical name are served by the same authority server.
Didn't we decide a while back that this was a bad idea, that resolvers needed to stop trusting CNAME chains sent by authorities, and that authorities really ought to stop sending them? The reasoning as I remember it: If I ask the server for vix.su a question, and it helpfully provides an answer in redbarn.org, I have only its own assurances that it *is* in fact authoritative for redbarn.org; the answer can't be trusted until I've chased delegations to redbarn.org too. Even if I'm DNSSEC-validating your responses, you *could* be replaying an outdated answer with a still-valid signature, so I'm safest if I resolve each name in the CNAME chain separately. (I vividly remember a thread about this three or four years ago, but I'm having poor luck with the grepping.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop