> On Jul 27, 2016, at 3:35 PM, John C Klensin <john-ietf@???> wrote:
>
> Keep in
> mind that a CNAME can point anywhere in the tree and that, in
> the general case (the SMTP requirement that the
> originally-specified domain appear in RCPT and that only final
> names (no aliases) can appear in some other places is an
> exception, applications may not find out the original name and
> the DNS provides no "came from" function. In that kind of
> situation, _especially_ in that kind of situation, one would
> really like an integrity check on DNS replies to validate the
> aliases including the technical and policy legitimacy of the
> pointer relationship, not just that the label, RRTYPE, data,
> etc., are what existed in the relevant authoritative server (and
> that it _is_ the authoritative server).
My expectations of DNSSEC are more modest, I seek only MITM
resistance. Just a different perspective on the same facts,
so your explanation was helpful and sufficient, thanks.
--
Viktor.
