ANAME loops are more difficult to detect in comparison to CNAME loops. If an authoritative server calls out to an external resolver then the authoritative server looses part of the processing context. This may result in DNS message multiplication and bouncing between the authoritative and the recursive.
This problem might be worth pointing out in the Security considerations.
One way to address this is to point all authoritative servers to a single resolver, make sure the resolver is capable of query de-duplication, and let the authoritative act on SERVFAIL (timeout) when resolving the ANAME.
BIND may have an advantage over the authoritative-only servers as it likely doesn't have to call out to other server.
ANAME loops are more difficult to detect in comparison to CNAME loops. If an authoritative server calls out to an external resolver then the authoritative server looses part of the processing context. This may result in DNS message multiplication and bouncing between the authoritative and the recursive.
This problem might be worth pointing out in the Security considerations.
One way to address this is to point all authoritative servers to a single resolver, make sure the resolver is capable of query de-duplication, and let the authoritative act on SERVFAIL (timeout) when resolving the ANAME.
BIND may have an advantage over the authoritative-only servers as it likely doesn't have to call out to other server.