Re: Question about DNSSEC

Fri, 01 Nov 2024 08:27:00 -0700

DO flag is indication to “do DNSSEC”, it has no other meaning. You should be looking for AD flag.

As for delv output - it prints out which names are validated and those that are not. I don’t see anything wrong here.
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

On 1. 11. 2024, at 16:21, Bob McDonald <bmcdonal...@gmail.com> wrote:


The host is www.irs.gov.

A further question.

DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue.

DELV indicates the host as "fully validated" then flags the second entry in the CNAME chain as an "unsigned answer".

Should there be some further checking/indications of the issue?

There's also the issue of CNAME chaining which as I recall was at one time considered bad form. However, it's used extensively across the internet. (something like domain apex 
CNAMEs...)

Here's the DIG and DELV output (recursive server is running bind 9.20.2 on a raspberrypi under freeBSD 14.1-p6):

root@RaspberryPI-00:~ # dig www.irs.gov. +dnssec

; <<>> DiG 9.20.2 <<>> www.irs.gov. +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good)
;; QUESTION SECTION:
;www.irs.gov.                   IN      A

;; ANSWER SECTION:
www.irs.gov.            300     IN      CNAME   www.irs.gov.edgekey.net.
www.irs.gov.            300     IN      RRSIG   CNAME 8 3 300 20241115030055 20241101020055 49935 irs.gov. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==
www.irs.gov.edgekey.net. 300    IN      CNAME   e127382.dscna.akamaiedge.net.
e127382.dscna.akamaiedge.net. 20 IN     A       23.208.28.29
e127382.dscna.akamaiedge.net. 20 IN     A       23.208.28.37

;; AUTHORITY SECTION:
dscna.akamaiedge.net.   4000    IN      NS      n0dscna.akamaiedge.net.
dscna.akamaiedge.net.   4000    IN      NS      n3dscna.akamaiedge.net.
dscna.akamaiedge.net.   4000    IN      NS      n2dscna.akamaiedge.net.
dscna.akamaiedge.net.   4000    IN      NS      n5dscna.akamaiedge.net.
dscna.akamaiedge.net.   4000    IN      NS      n4dscna.akamaiedge.net.
dscna.akamaiedge.net.   4000    IN      NS      n1dscna.akamaiedge.net.
dscna.akamaiedge.net.   4000    IN      NS      n6dscna.akamaiedge.net.
dscna.akamaiedge.net.   4000    IN      NS      n7dscna.akamaiedge.net.

;; ADDITIONAL SECTION:
n0dscna.akamaiedge.net. 4000    IN      AAAA    2600:1480:e800::c0
n0dscna.akamaiedge.net. 4000    IN      A       88.221.81.192
n1dscna.akamaiedge.net. 4000    IN      A       23.63.249.205
n2dscna.akamaiedge.net. 4000    IN      A       23.44.6.12
n3dscna.akamaiedge.net. 4000    IN      A       23.44.6.9
n4dscna.akamaiedge.net. 4000    IN      A       23.44.6.38
n5dscna.akamaiedge.net. 4000    IN      A       23.44.6.13
n6dscna.akamaiedge.net. 4000    IN      A       23.44.6.22
n7dscna.akamaiedge.net. 4000    IN      A       23.218.252.156

;; Query time: 425 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Nov 01 14:51:42 UTC 2024
;; MSG SIZE  rcvd: 803


root@RaspberryPI-00:~ # delv www.irs.gov.
; fully validated
www.irs.gov.            297     IN      CNAME   www.irs.gov.edgekey.net.
www.irs.gov.            297     IN      RRSIG   CNAME 8 3 300 20241115030055 20241101020055 49935 irs.gov. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==

; unsigned answer
www.irs.gov.edgekey.net. 75     IN      CNAME   e127382.dscna.akamaiedge.net.
e127382.dscna.akamaiedge.net. 20 IN     A       23.208.28.6
e127382.dscna.akamaiedge.net. 20 IN     A       23.208.28.30


Regards,

Bob

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to