On Tue, Apr 11, 2017 at 09:11:54PM +0200, Florian Weimer wrote: > I don't see how you can detect loops without DNS protocol changes. The > query that comes back will look like a completely fresh query.
We can put a limit on the number of hops that are followed in populating the A and AAAA records for the expanded ANAME response. If that limit is exceeded, the ANAME record could be rejected by the auth; either the zone wouldn't load or address queries return SERVFAIL. BIND already has a limit of 16 hops for CNAME loop prevention. I assume other resolver implementations must do something similar. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop