Re: Question about DNSSEC

[Evan McKinney]

Even with a CNAME record, the delv command will validate each step of the 
resolution. You can use the +vtrace option to see each validation and +mtrace 
to see each individual message.
-Evan
Get BlueMail <https://bluemail.me> for Desktop
Ondřej Surý wrote:
DO flag is indication to “do DNSSEC”, it has no other meaning. You should be 
looking for AD flag.
As for delv output - it prints out which names are validated and those that are 
not. I don’t see anything wrong here.
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.
On 1. 11. 2024, at 16:21, Bob McDonald <bmcdonal...@gmail.com> wrote:

The host is www.irs.gov <http://www.irs.gov> .
A further question.
DIG sets the DO flag even though the second and third entries in the CNAME 
chain are not signed. There's basically no indication that there's really any 
issue.
DELV indicates the host as "fully validated" then flags the second entry in the 
CNAME chain as an "unsigned answer".
Should there be some further checking/indications of the issue?
There's also the issue of CNAME chaining which as I recall was at one time 
considered bad form. However, it's used extensively across the internet. 
(something like domain apex
CNAMEs...)
Here's the DIG and DELV output (recursive server is running bind 9.20.2 on a 
raspberrypi under freeBSD 14.1-p6):
root@RaspberryPI-00:~ # dig www.irs.gov <http://www.irs.gov> . +dnssec
; <<>> DiG 9.20.2 <<>> www.irs.gov <http://www.irs.gov> . +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good)
;; QUESTION SECTION:
;www.irs.gov <http://www.irs.gov> . IN A
;; ANSWER SECTION:
www.irs.gov <http://www.irs.gov> . 300 IN CNAME www.irs.gov.edgekey.net 
<http://www.irs.gov.edgekey.net> .
www.irs.gov <http://www.irs.gov> . 300 IN RRSIG CNAME 8 3 300 20241115030055 
20241101020055 49935 irs.gov <http://irs.gov> . 
GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o 
MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 
Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 
d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 
LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX 
bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 
O+J82Q=www.irs.gov.edgekey.net <http://www.irs.gov.edgekey.net> . 300 IN CNAME 
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> .
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.29
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.37
;; AUTHORITY SECTION:
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n0dscna.akamaiedge.net <http://n0dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n3dscna.akamaiedge.net <http://n3dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n2dscna.akamaiedge.net <http://n2dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n5dscna.akamaiedge.net <http://n5dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n4dscna.akamaiedge.net <http://n4dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n1dscna.akamaiedge.net <http://n1dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n6dscna.akamaiedge.net <http://n6dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n7dscna.akamaiedge.net <http://n7dscna.akamaiedge.net> .
;; ADDITIONAL SECTION:
n0dscna.akamaiedge.net <http://n0dscna.akamaiedge.net> . 4000 IN AAAA 
2600:1480:e800::c0
n0dscna.akamaiedge.net <http://n0dscna.akamaiedge.net> . 4000 IN A 88.221.81.192
n1dscna.akamaiedge.net <http://n1dscna.akamaiedge.net> . 4000 IN A 23.63.249.205
n2dscna.akamaiedge.net <http://n2dscna.akamaiedge.net> . 4000 IN A 23.44.6.12
n3dscna.akamaiedge.net <http://n3dscna.akamaiedge.net> . 4000 IN A 23.44.6.9
n4dscna.akamaiedge.net <http://n4dscna.akamaiedge.net> . 4000 IN A 23.44.6.38
n5dscna.akamaiedge.net <http://n5dscna.akamaiedge.net> . 4000 IN A 23.44.6.13
n6dscna.akamaiedge.net <http://n6dscna.akamaiedge.net> . 4000 IN A 23.44.6.22
n7dscna.akamaiedge.net <http://n7dscna.akamaiedge.net> . 4000 IN A 
23.218.252.156
;; Query time: 425 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Nov 01 14:51:42 UTC 2024
;; MSG SIZE rcvd: 803
root@RaspberryPI-00:~ # delv www.irs.gov <http://www.irs.gov> .
; fully validated
www.irs.gov <http://www.irs.gov> . 297 IN CNAME www.irs.gov.edgekey.net 
<http://www.irs.gov.edgekey.net> .
www.irs.gov <http://www.irs.gov> . 297 IN RRSIG CNAME 8 3 300 20241115030055 
20241101020055 49935 irs.gov <http://irs.gov> . 
GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o 
MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 
Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 
d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 
LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX 
bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q=; unsigned 
answer
www.irs.gov.edgekey.net <http://www.irs.gov.edgekey.net> . 75 IN CNAME 
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> .
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.6
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.30
Regards,
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
DO flag is indication to “do DNSSEC”, it has no other meaning. You should be 
looking for AD flag.
As for delv output - it prints out which names are validated and those that are 
not. I don’t see anything wrong here.
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.
On 1. 11. 2024, at 16:21, Bob McDonald <bmcdonal...@gmail.com> wrote:

The host is www.irs.gov <http://www.irs.gov> .
A further question.
DIG sets the DO flag even though the second and third entries in the CNAME 
chain are not signed. There's basically no indication that there's really any 
issue.
DELV indicates the host as "fully validated" then flags the second entry in the 
CNAME chain as an "unsigned answer".
Should there be some further checking/indications of the issue?
There's also the issue of CNAME chaining which as I recall was at one time 
considered bad form. However, it's used extensively across the internet. 
(something like domain apex
CNAMEs...)
Here's the DIG and DELV output (recursive server is running bind 9.20.2 on a 
raspberrypi under freeBSD 14.1-p6):
root@RaspberryPI-00:~ # dig www.irs.gov <http://www.irs.gov> . +dnssec
; <<>> DiG 9.20.2 <<>> www.irs.gov <http://www.irs.gov> . +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good)
;; QUESTION SECTION:
;www.irs.gov <http://www.irs.gov> . IN A
;; ANSWER SECTION:
www.irs.gov <http://www.irs.gov> . 300 IN CNAME www.irs.gov.edgekey.net 
<http://www.irs.gov.edgekey.net> .
www.irs.gov <http://www.irs.gov> . 300 IN RRSIG CNAME 8 3 300 20241115030055 
20241101020055 49935 irs.gov <http://irs.gov> . 
GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o 
MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 
Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 
d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 
LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX 
bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 
O+J82Q=www.irs.gov.edgekey.net <http://www.irs.gov.edgekey.net> . 300 IN CNAME 
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> .
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.29
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.37
;; AUTHORITY SECTION:
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n0dscna.akamaiedge.net <http://n0dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n3dscna.akamaiedge.net <http://n3dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n2dscna.akamaiedge.net <http://n2dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n5dscna.akamaiedge.net <http://n5dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n4dscna.akamaiedge.net <http://n4dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n1dscna.akamaiedge.net <http://n1dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n6dscna.akamaiedge.net <http://n6dscna.akamaiedge.net> .
dscna.akamaiedge.net <http://dscna.akamaiedge.net> . 4000 IN NS 
n7dscna.akamaiedge.net <http://n7dscna.akamaiedge.net> .
;; ADDITIONAL SECTION:
n0dscna.akamaiedge.net <http://n0dscna.akamaiedge.net> . 4000 IN AAAA 
2600:1480:e800::c0
n0dscna.akamaiedge.net <http://n0dscna.akamaiedge.net> . 4000 IN A 88.221.81.192
n1dscna.akamaiedge.net <http://n1dscna.akamaiedge.net> . 4000 IN A 23.63.249.205
n2dscna.akamaiedge.net <http://n2dscna.akamaiedge.net> . 4000 IN A 23.44.6.12
n3dscna.akamaiedge.net <http://n3dscna.akamaiedge.net> . 4000 IN A 23.44.6.9
n4dscna.akamaiedge.net <http://n4dscna.akamaiedge.net> . 4000 IN A 23.44.6.38
n5dscna.akamaiedge.net <http://n5dscna.akamaiedge.net> . 4000 IN A 23.44.6.13
n6dscna.akamaiedge.net <http://n6dscna.akamaiedge.net> . 4000 IN A 23.44.6.22
n7dscna.akamaiedge.net <http://n7dscna.akamaiedge.net> . 4000 IN A 
23.218.252.156
;; Query time: 425 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Nov 01 14:51:42 UTC 2024
;; MSG SIZE rcvd: 803
root@RaspberryPI-00:~ # delv www.irs.gov <http://www.irs.gov> .
; fully validated
www.irs.gov <http://www.irs.gov> . 297 IN CNAME www.irs.gov.edgekey.net 
<http://www.irs.gov.edgekey.net> .
www.irs.gov <http://www.irs.gov> . 297 IN RRSIG CNAME 8 3 300 20241115030055 
20241101020055 49935 irs.gov <http://irs.gov> . 
GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o 
MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 
Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 
d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 
LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX 
bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q=; unsigned 
answer
www.irs.gov.edgekey.net <http://www.irs.gov.edgekey.net> . 75 IN CNAME 
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> .
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.6
e127382.dscna.akamaiedge.net <http://e127382.dscna.akamaiedge.net> . 20 IN A 
23.208.28.30
Regards,
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users