Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

Masataka Ohta mohta at necom830.hpcl.titech.ac.jp
Wed Dec 8 15:23:25 UTC 2021


Arne Jensen wrote:

> It is my understanding that the CNAME should never have been followed,

Wrong.

> since there isn't any covering RRSIG for the actual CNAME, exactly as 
> the elaborative message on dnsviz.net claims.

That CNAME RR is authenticated means it securely points to some
other domain name, which may or may not be covered by RRSIG
signature, which is no different from domain names pointed by
signed MX RRs.

Anyway, as so called secure DNS is merely weakly secure
subject to MitM attacks on intermediate zones, there is
no reason to use it only to increase operational efforts
purposelessly.

						Masataka Ohta


More information about the NANOG mailing list