On 08. 07. 25 17:42, John Levine wrote:
It appears that Yorgos Thessalonikefs <[email protected]> said:
Various ways that could give resolution inconsistencies between
implementations (I am not considering the actual attack scenario because
noone cares about that resolution).
Different resolvers allow different lengths of CNAME chains before they give up.
I think that's much more likely to make a practical difference, but we've been
living with it for decades and dnsop has never provided definitive advice on
how to deal with it.
Why is this any more urgent?
For CNAME chains we have seen development over the years, going to
longer and longer chains. So there's a proof that flexible limit which
changes over the years makes sense.
For colliding keytags, that's just nonsense. There's no incentive to
support these and BIND will currently refuse anything with more than one
collision.
I'm all for declaring
acceptable number of collisions = 0
--
Petr Špaček
Internet Systems Consortium
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
