On Fri, Apr 13, 2018 at 05:11:52PM +0200, bert hubert wrote:
> RFC 1034, 4.3.2, step 3, a. It says to go back to step 1, which means that
> in step 2 we look up the best zone again for the target of the CNAME. I have
> not looked if newer RFCs deprecate this or not. So with 'chase' I mean,
> consult other zones it is authoritative for. There might be millions of
> these btw, operated by other people.

The search algorithm has been updated a few times (most recently 6672, I
believe?) but AFAIK this phrasing remains in effect, and probably ought to
be clarified in a future document. That said, it's up to you what zones you
consider "available" in step 2, and there's no reason you can't limit the
set of available zones to the ones that were in bailiwick for the original
query, so you're not breaking any rules.

I could have sworn there was an RFC published several years ago concerning
the prevention of cache poisoning, which specified that resolvers had to
ignore out of zone CNAMEs and re-query, but I can't find it now. Poor
google skills, or did I dream the whole thing?

Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.

DNSOP mailing list

Reply via email to