nanog mailing list archives
Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Fri, 10 Dec 2021 22:25:37 +0900
Arne Jensen wrote:
Because every authoritative RRset in a zone must be protected by a digital signature, RRSIG RRs must be present for names containing a CNAME RR. This is a change to the traditional DNS specification [RFC1034], which stated that if a CNAME is present for a name, it is the only type allowed at that name. A RRSIG and NSEC (see Section 4) MUST exist for the same name as a CNAME resource record in a signed zone.Can you tell me what exactly this means?
Hmm, it should means specification of rfc4034 is incomplete. That is, the rfc certainly specifies that domain name for CNAME may also have RRSIG. However, the rfc does not say that, if a query to a server is for CNAME, the server must also return RRSIG. Worse, even if authoritative namesevers return both CNAME and RRSIG, if TTL of CNAME is longer than that of RRSIG, cache of a resolver may only contain CNAME. Or, if a resolver is not aware of DNSSEC, RRSIG won't be returned for CNAME query. As such, when a query for CNAME does not return RRSIG, resolvers must explicitly ask RRSIG by another query message, specification for which is missing in the rfc. Masataka Ohta
Current thread:
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu), (continued)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Ca By (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Francis Booth via NANOG (Dec 09)
- RE: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Jean St-Laurent via NANOG (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Ca By (Dec 09)
- RE: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Jean St-Laurent via NANOG (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Nick Hilliard (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Mark Andrews (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Masataka Ohta (Dec 10)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Masataka Ohta (Dec 08)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Arne Jensen (Dec 09)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Masataka Ohta (Dec 10)
- Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) Laura Smith via NANOG (Dec 08)