Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

• Previous message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Next message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Arne Jensen wrote:

>>     Because every authoritative RRset in a zone must be protected by a
>>     digital signature, RRSIG RRs must be present for names containing a
>>     CNAME RR.  This is a change to the traditional DNS specification
>>     [RFC1034], which stated that if a CNAME is present for a name, it is
>>     the only type allowed at that name.  A RRSIG and NSEC (see Section 4)
>>     MUST exist for the same name as a CNAME resource record in a signed
>>     zone.
> Can you tell me what exactly this means?

Hmm, it should means specification of rfc4034 is incomplete.

That is, the rfc certainly specifies that domain name for CNAME
may also have RRSIG.

However, the rfc does not say that, if a query to a server is
for CNAME, the server must also return RRSIG.

Worse, even if authoritative namesevers return both CNAME and
RRSIG, if TTL of CNAME is longer than that of RRSIG, cache of
a resolver may only contain CNAME. Or, if a resolver is not
aware of DNSSEC, RRSIG won't be returned for CNAME query.

As such, when a query for CNAME does not return RRSIG, resolvers
must explicitly ask RRSIG by another query message, specification
for which is missing in the rfc.

						Masataka Ohta

• Previous message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Next message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]