each
commented
7 years ago Added a mention of this in the security considerations. Should it be mentioned more prominently elsewhere or is this good enough?
Closed Habbie closed 6 years ago
each
commented
7 years ago Added a mention of this in the security considerations. Should it be mentioned more prominently elsewhere or is this good enough?
"In particular, the suggested recursive DNS lookup needs some form of distributed loop detection. Otherwise, a malicious customer could publish two zones with ANAME records and achieve significant traffic amplification, potentially taking down the DNS hoster. A hop count in an EDNS option or an “ANAME lookup in progress” indicator would be one way to implement this. Another approach would impose restrictions on the owner name of an ANAME record and its target, and restrict where CNAMEs can appear, so that a valid ANAME can never point to another valid ANAME." (Florian Weimer)