Thanks guys! As usual, you've taught me an invaluable lesson.
Regards, Bob On Fri, Nov 1, 2024 at 11:42 AM Evan McKinney <e...@evanm.nyc> wrote: > Even with a CNAME record, the delv command will validate each step of the > resolution. You can use the +vtrace option to see each validation and > +mtrace to see each individual message. > -Evan > > Get BlueMail <https://bluemail.me> for Desktop > > Ondřej Surý wrote: > > > DO flag is indication to “do DNSSEC”, it has no other meaning. You should > be looking for AD flag. > > As for delv output - it prints out which names are validated and those > that are not. I don’t see anything wrong here. > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 1. 11. 2024, at 16:21, Bob McDonald <bmcdonal...@gmail.com> wrote: > > > The host is www.irs.gov. > > A further question. > > DIG sets the DO flag even though the second and third entries in the CNAME > chain are not signed. There's basically no indication that there's really > any issue. > > DELV indicates the host as "fully validated" then flags the second entry > in the CNAME chain as an "unsigned answer". > > Should there be some further checking/indications of the issue? > > There's also the issue of CNAME chaining which as I recall was at one time > considered bad form. However, it's used extensively across the internet. > (something like domain apex > CNAMEs...) > > Here's the DIG and DELV output (recursive server is running bind 9.20.2 on > a raspberrypi under freeBSD 14.1-p6): > > root@RaspberryPI-00:~ # dig www.irs.gov. +dnssec > > ; <<>> DiG 9.20.2 <<>> www.irs.gov. +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good) > ;; QUESTION SECTION: > ;www.irs.gov. IN A > > ;; ANSWER SECTION: > www.irs.gov. 300 IN CNAME www.irs.gov.edgekey.net. > www.irs.gov. 300 IN RRSIG CNAME 8 3 300 > 20241115030055 20241101020055 49935 irs.gov. > GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o > MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 > Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 > d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 > LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX > bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q== > www.irs.gov.edgekey.net. 300 IN CNAME > e127382.dscna.akamaiedge.net. > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.29 > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.37 > > ;; AUTHORITY SECTION: > dscna.akamaiedge.net. 4000 IN NS n0dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n3dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n2dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n5dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n4dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n1dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n6dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n7dscna.akamaiedge.net. > > ;; ADDITIONAL SECTION: > n0dscna.akamaiedge.net. 4000 IN AAAA 2600:1480:e800::c0 > n0dscna.akamaiedge.net. 4000 IN A 88.221.81.192 > n1dscna.akamaiedge.net. 4000 IN A 23.63.249.205 > n2dscna.akamaiedge.net. 4000 IN A 23.44.6.12 > n3dscna.akamaiedge.net. 4000 IN A 23.44.6.9 > n4dscna.akamaiedge.net. 4000 IN A 23.44.6.38 > n5dscna.akamaiedge.net. 4000 IN A 23.44.6.13 > n6dscna.akamaiedge.net. 4000 IN A 23.44.6.22 > n7dscna.akamaiedge.net. 4000 IN A 23.218.252.156 > > ;; Query time: 425 msec > ;; SERVER: ::1#53(::1) (UDP) > ;; WHEN: Fri Nov 01 14:51:42 UTC 2024 > ;; MSG SIZE rcvd: 803 > > > root@RaspberryPI-00:~ # delv www.irs.gov. > ; fully validated > www.irs.gov. 297 IN CNAME www.irs.gov.edgekey.net. > www.irs.gov. 297 IN RRSIG CNAME 8 3 300 > 20241115030055 20241101020055 49935 irs.gov. > GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o > MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 > Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 > d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 > LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX > bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q== > > ; unsigned answer > www.irs.gov.edgekey.net. 75 IN CNAME > e127382.dscna.akamaiedge.net. > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.6 > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.30 > > > Regards, > > Bob > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > DO flag is indication to “do DNSSEC”, it has no other meaning. You should > be looking for AD flag. > > As for delv output - it prints out which names are validated and those > that are not. I don’t see anything wrong here. > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 1. 11. 2024, at 16:21, Bob McDonald <bmcdonal...@gmail.com> wrote: > > > The host is www.irs.gov. > > A further question. > > DIG sets the DO flag even though the second and third entries in the CNAME > chain are not signed. There's basically no indication that there's really > any issue. > > DELV indicates the host as "fully validated" then flags the second entry > in the CNAME chain as an "unsigned answer". > > Should there be some further checking/indications of the issue? > > There's also the issue of CNAME chaining which as I recall was at one time > considered bad form. However, it's used extensively across the internet. > (something like domain apex > CNAMEs...) > > Here's the DIG and DELV output (recursive server is running bind 9.20.2 on > a raspberrypi under freeBSD 14.1-p6): > > root@RaspberryPI-00:~ # dig www.irs.gov. +dnssec > > ; <<>> DiG 9.20.2 <<>> www.irs.gov. +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good) > ;; QUESTION SECTION: > ;www.irs.gov. IN A > > ;; ANSWER SECTION: > www.irs.gov. 300 IN CNAME www.irs.gov.edgekey.net. > www.irs.gov. 300 IN RRSIG CNAME 8 3 300 > 20241115030055 20241101020055 49935 irs.gov. > GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o > MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 > Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 > d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 > LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX > bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q== > www.irs.gov.edgekey.net. 300 IN CNAME > e127382.dscna.akamaiedge.net. > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.29 > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.37 > > ;; AUTHORITY SECTION: > dscna.akamaiedge.net. 4000 IN NS n0dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n3dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n2dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n5dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n4dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n1dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n6dscna.akamaiedge.net. > dscna.akamaiedge.net. 4000 IN NS n7dscna.akamaiedge.net. > > ;; ADDITIONAL SECTION: > n0dscna.akamaiedge.net. 4000 IN AAAA 2600:1480:e800::c0 > n0dscna.akamaiedge.net. 4000 IN A 88.221.81.192 > n1dscna.akamaiedge.net. 4000 IN A 23.63.249.205 > n2dscna.akamaiedge.net. 4000 IN A 23.44.6.12 > n3dscna.akamaiedge.net. 4000 IN A 23.44.6.9 > n4dscna.akamaiedge.net. 4000 IN A 23.44.6.38 > n5dscna.akamaiedge.net. 4000 IN A 23.44.6.13 > n6dscna.akamaiedge.net. 4000 IN A 23.44.6.22 > n7dscna.akamaiedge.net. 4000 IN A 23.218.252.156 > > ;; Query time: 425 msec > ;; SERVER: ::1#53(::1) (UDP) > ;; WHEN: Fri Nov 01 14:51:42 UTC 2024 > ;; MSG SIZE rcvd: 803 > > > root@RaspberryPI-00:~ # delv www.irs.gov. > ; fully validated > www.irs.gov. 297 IN CNAME www.irs.gov.edgekey.net. > www.irs.gov. 297 IN RRSIG CNAME 8 3 300 > 20241115030055 20241101020055 49935 irs.gov. > GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o > MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 > Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 > d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 > LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX > bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q== > > ; unsigned answer > www.irs.gov.edgekey.net. 75 IN CNAME > e127382.dscna.akamaiedge.net. > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.6 > e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.30 > > > Regards, > > Bob > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
