Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
Masataka Ohta
mohta at necom830.hpcl.titech.ac.jp
Wed Dec 8 15:23:25 UTC 2021
Arne Jensen wrote:
> It is my understanding that the CNAME should never have been followed,
Wrong.
> since there isn't any covering RRSIG for the actual CNAME, exactly as
> the elaborative message on dnsviz.net claims.
That CNAME RR is authenticated means it securely points to some
other domain name, which may or may not be covered by RRSIG
signature, which is no different from domain names pointed by
signed MX RRs.
Anyway, as so called secure DNS is merely weakly secure
subject to MitM attacks on intermediate zones, there is
no reason to use it only to increase operational efforts
purposelessly.
Masataka Ohta
More information about the NANOG
mailing list