Steffen Nurpmeso wrote in
<20241019224458.Ku3ive4N@steffen%sdaoden.eu>:
|John Levine wrote in
| <20241019183741.78F2E973409A@xxxxxx>:
||It appears that Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> said:
||>> If you want to forbid CNAMEs, the application has to add special
||>> checks to notice the CNAMEs and object to them.
||>
||>This of course depends on the API used. If it is just getaddrinfo() and
||>friends, then indeed yes. But carefully designed MTAs will resort to
| ...
||>> PS: In answer to the question how many levels of CNAME to allow, the
||>> only answer is whatever your DNS library does. The dnsop WG has
||>> declined to set specific limits on CNAME or DNAME or any of the many
||>> other ways you can make long chains of DNS lookups, and we sure aren't
||>> going there either.
||>
||>Postfix picked 10 IIRC.
||
||Does it really follow the CNAMEs itself rather than letting the DNS
||resolver do it? If so, what does it do about the other endless chains
||such as cascading NS?
|
|I would claim this is exactly the differentiation in between
|"stub" and "recursive" resolver, no?
src/dns/dns_lookup.c says
/* dns_lookup() looks up DNS resource records. When requested to
/* look up data other than type CNAME, it will follow a limited
/* number of CNAME indirections. All result names (including
/* null terminator) will fit a buffer of size DNS_NAME_LEN.
/* All name results are validated by \fIvalid_hostname\fR();
/* an invalid name is reported as a DNS_INVAL result, while
/* malformed replies are reported as transient errors.
and then
if (cname_found)
return (DNS_RECURSE);
and in its caller
for (count = 0; count < 10; count++) {
...
switch (status) {
...
case DNS_RECURSE:
if (msg_verbose)
msg_info("dns_lookup: %s aliased to %s", name, cname);
#if RES_USE_DNSSEC
/*
* Once an intermediate CNAME reply is not validated, all
* consequent RRs are deemed not validated, so we don't ask for
* further DNSSEC replies.
*/
if (maybe_secure == 0)
flags &= ~RES_USE_DNSSEC;
#endif
name = cname;
}
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
