iterator+rrcache: do not follow CNAME chains (if not DNSSEC-secured)
[1] shows an attack using spoofed CNAME targets to replace legitimate entries in resolver cache by speeding up once-per-TTL attack opportunity as a defense, the resolver almost always requeries CNAME targets and doesn't store them in cache. the only exception is when the CNAME target is within current authority, and the answer is DNSSEC-secured thanks to Toshinori Maeno (@beyondDNS) for pointing this out [2] [1]: https://tools.ietf.org/id/draft-weaver-dnsext-comprehensive- resolver-00.html [2]: https://moin.qmail.jp/DNS/KnotResolver/CNAMEpatch
Please register or sign in to comment