In
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0508142028110(_dot_)4395-100000(_at_)bmsred(_dot_)bmsi(_dot_)com>
"Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> writes:
IN CONCLUSION, Wayne is correct in that rfc1034 (not 1035) tells the name
server and recursive queries to follow CNAMES and include them in the answer.
However, it is silent on how to handle long chains that will not fit in
a UDP packet with the target answers - the default action is to return
a packet flagged as "partial results".
Stuart's most recent research matches my vague memory of the last time
I researched the question of what to do with CNAME chains and loops.
Now, again, the questions are:
* Can CNAME loops be used to create DoS attacks against third
parties?
That is, can a SMTP client (sender) use an SMTP server (receiver) to
cause undue traffic to a third part of the sender's choosing at a rate
that significantly exceeds what the SMTP client could cause by other
means?
* Can CNAME loops be used to create a DoS attack against the
receiver?
That is, can the SMPT client (sender) cause the SMTP server (receiver)
to consume undue resources that significantly exceed what the SMTP
client could cause by other means?
What we don't care about is:
* Can a domain owner shoot themselves in the foot by using CNAMEs?
I'm having a hard time of thinking of a problem that CNAME chains
cause anyone but the domain owner. I am also having a hard time
seeing how an application, such as an SPF implementation, can change
the behavior of the resolver.
-wayne