You can validate all you want but you need to sign your zones and all the targets of the CNAME chains from your zones for DNSSEC to be effective. This is paying lip service to sign your zones directive.
% dig www.dhs.gov +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.21.3-dev <<>> www.dhs.gov +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33641 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 2022d7bf21b706ff01000000679960aa8182fe6b620e54e0 (good) ;; QUESTION SECTION: ;www.dhs.gov. IN A ;; ANSWER SECTION: www.dhs.gov. 298 IN CNAME www.dhs.gov.edgekey.net. www.dhs.gov. 298 IN RRSIG CNAME 13 3 300 20250129235639 20250127215639 34505 dhs.gov. JJnlIm2HQvUKM25ZvTUGRbZJDhVdkFy/+KHZz8jGixSNkAxniu7Z+whq 5g+dvwD403tsLw0x1KL1UDuMXgLlAQ== www.dhs.gov.edgekey.net. 299 IN CNAME e6485.dsca.akamaiedge.net. e6485.dsca.akamaiedge.net. 20 IN A 23.38.138.46 ;; Query time: 3794 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Wed Jan 29 09:56:42 AEDT 2025 ;; MSG SIZE rcvd: 260 % > On 28 Jan 2025, at 16:32, Crist Clark <cjc+bind-us...@pumpky.net> wrote: > > US Federal civilian agencies have been required to do DNSSEC validation for > over ten years. > > On Mon, Jan 27, 2025 at 7:42 PM Grant Taylor via bind-users > <bind-users@lists.isc.org> wrote: > On 1/27/25 07:02, Carlos Horowicz via bind-users wrote: > > IMHO this has nothing to do with DNSSEC, > > HEAVYsigh > > Why do things seem to focus on the encryption of DNS traffic and ignore > authentication of the information? > > I'm sure that all of us are aware that it's perfectly possible for a DoT > / DoH server to send bogus information through the encryption. > > In some ways, advocating for encryption without authentication is akin > to advocating for self-signed TLS certificates for web-sites. Anybody > can monkey in the middle the traffic if they want to. > > I've not read any of the cited articles yet, but I assume DNS w/ DNSSEC > through VPN isn't mentioned. > > > > -- > Grant. . . . > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
