1. DNS/poisoning/CNAME

Two types of cache poinsoning with CNAME attack:

  1. a response from authoritative server that contains fake record (out-of-bailiwick)
  2. poison response that have CNAME records in Answer Section

Type 1 is very old and well known. Type 2 is also old, but is not known well.

2. defense in resolver

Drop any records in Answer Section that match any of the following conditions.

Defense 1: owner name does not equal to the query name

Defense 2: CNAME record which name with any type is already cached.

Defense 3: CNAME record which name has any type of negative caching.

-- ToshinoriMaeno 2016-07-23 00:54:11

3. RFC 2181 Section 10

https://tools.ietf.org/html/rfc2181#section-10 

That is, for any label in the DNS (any domain name) exactly one of the following is true:
     + one CNAME record exists, optionally accompanied by SIG, NXT, and KEY RRs,
     + one or more records exist, none being CNAME records,
     + the name exists, but has no associated RRs of any type,
     + the name does not exist at all.

4. RFC 4035

2.5. Changes to the CNAME Resource Record 

If a CNAME RRset is present at a name in a signed zone, appropriate
RRSIG and NSEC RRsets are REQUIRED at that name.