pub async fn resolve_secure_cname(mx_host: &str) -> Result<SecureCnameStatus>Expand description
Performs an explicit CNAME lookup for mx_host to determine whether it is
a securely published alias.
This is a narrow fallback in the DANE path: when the MX host’s address
(A/AAAA) records did not resolve securely we may still be looking at a secure
CNAME whose target merely lives in an unsigned zone. Querying the CNAME
type explicitly isolates the alias’s own DNSSEC status (a CNAME-type query is
answered by the alias RRset and is not chased into the insecure target), and
works uniformly across resolver backends because it relies only on the
per-answer secure bit rather than per-record validation proofs.