On 4/30/20 2:01 AM, Shumon Huque wrote: > It definitely can't set the AD bit. So, I suppose your argument is why > bother authenticating the target. That's a defensible question. [...]
Certainly not defensible. The AD bit isn't the only part. What if the CNAME target is spoofed (BOGUS) or something? Actually, I believe most end-clients don't look at AD, so it's just the SERVFAILs that protect them from using spoofed data. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
