== DNS/poisoning/CNAME ==

Two types of cache poinsoning with CNAME attack:
 1. a response from authoritative server that contains fake record (out-of-bailiwick)
 2. poison response that have CNAME records in Answer Section

Type 1 is very old and well known.  Type 2 is also old, but is not known well.

== defense in resolver ==
Drop any records in Answer Section that match any of the following conditions.

Defense 1: owner name does not equal to the query name

Defense 2: CNAME record which name with any type is already cached.

Defense 3: CNAME record which name has any type of negative caching.

-- ToshinoriMaeno <<DateTime(2016-07-23T09:54:11+0900)>>

== RFC 2181 Section 10 ==
https://tools.ietf.org/html/rfc2181#section-10

{{{
That is, for any label in the DNS (any domain name) exactly one of the following is true:
     + one CNAME record exists, optionally accompanied by SIG, NXT, and KEY RRs,
     + one or more records exist, none being CNAME records,
     + the name exists, but has no associated RRs of any type,
     + the name does not exist at all.
}}}

== RFC 4035 ==
2.5.  Changes to the CNAME Resource Record
{{{
If a CNAME RRset is present at a name in a signed zone, appropriate
RRSIG and NSEC RRsets are REQUIRED at that name.
}}}