On Fri, Apr 13, 2018 at 05:11:52PM +0200, bert hubert wrote: > RFC 1034, 4.3.2, step 3, a. It says to go back to step 1, which means that > in step 2 we look up the best zone again for the target of the CNAME. I have > not looked if newer RFCs deprecate this or not. So with 'chase' I mean, > consult other zones it is authoritative for. There might be millions of > these btw, operated by other people.
The search algorithm has been updated a few times (most recently 6672, I believe?) but AFAIK this phrasing remains in effect, and probably ought to be clarified in a future document. That said, it's up to you what zones you consider "available" in step 2, and there's no reason you can't limit the set of available zones to the ones that were in bailiwick for the original query, so you're not breaking any rules. I could have sworn there was an RFC published several years ago concerning the prevention of cache poisoning, which specified that resolvers had to ignore out of zone CNAMEs and re-query, but I can't find it now. Poor google skills, or did I dream the whole thing? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop