Hi, On Wed, 2024-07-24 at 17:36 +0200, Philip Homburg wrote: > > Partially. I believe the DNSSEC validation and following the > > CNAME-chain have to be implemented in the same routine. This is > > because to perform an authenticated denial of existence, you first > > need to know which name and rrtype you want to prove does not > > exist. > > DNSSEC validation follows the CNAME-chain that is part of validation. > > However, the ultimate user of the data also has to follow the CNAME- > chain > to avoid picking up unwanted additional records in the answer > section. >
I think this is the core issue behind the CVE and the filed bug. Who is the "ultimate user"? And where is this expectation formulated exactly? I would believe that most applications using DNS libraries such as dnsjava do not expect that they have to sift through CNAMEs in the replies and filter according to their initial query. So is dnsjava in your opinion the "ultimate user" that is expected to filter? If yes, "ultimate user" is an odd description because dnsjava is a resolver implementation, whereas "ultimate user" to me means application using a resolver (library/implementation). BR Martin > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected]
signature.asc
Description: This is a digitally signed message part
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
