John Levine wrote in <20241019183741.78F2E973409A@xxxxxx>: |It appears that Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> said: |>> If you want to forbid CNAMEs, the application has to add special |>> checks to notice the CNAMEs and object to them. |> |>This of course depends on the API used. If it is just getaddrinfo() and |>friends, then indeed yes. But carefully designed MTAs will resort to ... |>> PS: In answer to the question how many levels of CNAME to allow, the |>> only answer is whatever your DNS library does. The dnsop WG has |>> declined to set specific limits on CNAME or DNAME or any of the many |>> other ways you can make long chains of DNS lookups, and we sure aren't |>> going there either. |> |>Postfix picked 10 IIRC. | |Does it really follow the CNAMEs itself rather than letting the DNS |resolver do it? If so, what does it do about the other endless chains |such as cascading NS? I would claim this is exactly the differentiation in between "stub" and "recursive" resolver, no? --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
