On Tue, Jul 04, 2006 at 09:22:17AM -0700, Michael Thomas allegedly wrote:
John Levine wrote:
Current DNS RRtypes which result in a leaf record will not loop.
CNAMEs can always loop, but that is a general problem that we aren't
making any worse.
It's my belief that DKIM selectors don't allow CNAME's. Am I correct?
Whilst that might be appealing if one is no fan of CNAMEs, it would be
very hard to enforce. In particular an amount of DNS client software
follows CNAMEs automatically for the caller so a verifier may not even
get the chance to make this decision. One example being the popular
CPAN module Net::DNS::Resolver. It wouldn't surprise me if some caches
do this too making detection impossible in some cases.
Furthermore, disallowing CNAMEs would be inconsistent with most (all?)
other RR type queries thus creating surprise for unknowning DNS admins
who might routinely use CNAMEs.
Which maybe brings up a documentation clarification about allowing
CNAMEs since at least one person assumed that they are not allowed.
NOTE WELL: This list operates according to