On Sat, Apr 14, 2018 at 01:13:30AM +0800, Mukund Sivaraman wrote: > On Fri, Apr 13, 2018 at 04:31:35PM +0000, Evan Hunt wrote: > > I could have sworn there was an RFC published several years ago concerning > > the prevention of cache poisoning, which specified that resolvers had to > > ignore out of zone CNAMEs and re-query, but I can't find it now. Poor > > google skills, or did I dream the whole thing? > > RFC 2181
That was a "should", not a MUST. I thought I remembered something that upgraded it to MUST, but I can't find it now. It's possible I was thinking of RFC 5452 (which I now see was authored by the person whose question I was answering -- *this* is how you suck eggs, grandma). It says, "Care must be taken to only accept data if it is known that the originator is authoritative for the QNAME or a parent of the QNAME. One very simple way to achieve this is to only accept data if it is part of the domain for which the query was intended." This is less strongly-worded than what I remembered, but at least it does strongly hint that returning out-of-zone CNAMEs is likely to be a waste of effort. When we do the 1034 bis I'd like to see this made more explicit. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop