search

alexdalitz / dnsruby

Dnsruby is a feature-complete DNS(SEC) client for Ruby, as used by many of the world's largest DNS registries and the OpenDNSSEC project
Other
197 stars 77 forks source link

CAA request resolve CNAME #167

Closed nagavijayan-nagarathinam closed 3 years ago

nagavijayan-nagarathinam commented 3 years ago

When i try to resolve CAA using DNSruby, i used to get CNAME answer.

pfa

Screenshot 2020-10-07 at 7 06 32 PM
alexdalitz commented 3 years ago

Could you please post the results of a dig for the same query?

On 7 Oct 2020, at 14:48, Nagavijayan notifications@github.com wrote:

When i try to resolve CAA using DNSruby, i used to get CNAME answer.

pfa

https://user-images.githubusercontent.com/53569528/95339553-ccacdd00-08d1-11eb-97c6-9253d1ad3ff3.png — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/alexdalitz/dnsruby/issues/167, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2WFWX6W3UZDYWYHMSFFJTSJRWTFANCNFSM4SHNRQCQ.

nagavijayan-nagarathinam commented 3 years ago
Screenshot 2020-10-07 at 7 29 51 PM
alexdalitz commented 3 years ago

So I think you’re getting the same answer from dig as from dnsruby, right?

I think the idea of CAA validation is that it follows the CNAMEs until it finds a CAA record. However, dig and dnsruby are simply returning the results of the original query, which I believe is the correct behaviour - they do not do CAA validation.

On 7 Oct 2020, at 15:03, Nagavijayan notifications@github.com wrote:

https://user-images.githubusercontent.com/53569528/95341464-ec450500-08d3-11eb-9820-752048b689e2.png — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/alexdalitz/dnsruby/issues/167#issuecomment-704958215, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2WFWSXOVTY7HPT2AFL7MTSJRYLXANCNFSM4SHNRQCQ.