Re: [DNSOP] RFC2317 Question: Resolving cname delegation

Vladimír Čunát <> Thu, 24 August 2017 16:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1DD431320BD for <>; Thu, 24 Aug 2017 09:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x5tAQ_psWJgo for <>; Thu, 24 Aug 2017 09:06:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6163C1201F8 for <>; Thu, 24 Aug 2017 09:06:26 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:6:c478:5fff:feb6:ca15] (unknown [IPv6:2001:1488:fffe:6:c478:5fff:feb6:ca15]) by (Postfix) with ESMTPSA id 8AB5F608A1 for <>; Thu, 24 Aug 2017 18:06:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1503590784; bh=sezo7eiPKchD16RSaEbjOvMNzFaISybYTWnfYFsmaAA=; h=To:From:Date; b=prX4D3zAZZ1p1/HeWs53nXctufkCDS5xepkdQeFqa9fvp36uhmFGt2HHSxao0lv73 ULWCI1IxhTKfu95F9x696Qib5eccyvAiw2BiWOJW5IIlKp+uAJVHDJYsVbXqDwekqH 7bOD7GbsNpH9ys4ucPVn8hT18sBLqjTsDn5q4mJA=
References: <>
From: Vladimír Čunát <>
Message-ID: <>
Date: Thu, 24 Aug 2017 18:06:24 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [DNSOP] RFC2317 Question: Resolving cname delegation
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Aug 2017 16:06:28 -0000


On 08/24/2017 05:46 PM, Hector Santos wrote:
> [...] Not expecting this in my DNS resolver code, I modified the
> resolver to take the CNAMEs into account and return the host names
> instead.  Was this the correct thing to do, thus providing the same
> results regardless of the query location? [...]

I can't see any hint in RFC2317 that resolvers should/could change the
data they obtain from upstream, even if just "expand CNAMEs" (and it's
only BCP RFC anyway).  In particular, if the particular zone is covered
by DNSSEC, you may trigger validation errors by that.