On 7 Oct 2020, at 08:07, Viktor Dukhovni <[email protected]> wrote: > > On Wed, Oct 07, 2020 at 07:27:47AM +1100, Mark Andrews wrote: > >> They are just malformed. No key material is not permitted with DNSKEY. >> it’s one of the differences to KEY. > > Yes, I am aware they're malformed, my question is whether this then > causes problems for various tools and resolvers. Among the major > public DNS providers, a DNSKEY lookup returns: > > * CloudFlare - NOERROR > * Google - SERVFAIL > * OpenDNS - NOERROR > * Quad9 - NOERROR > * Verisign - NOERROR > > So at least Google finds the DNSKEY RRset in question problematic > overall, despite the valid ECDSA P256 signature.
This is where garbage should be rejected as soon as possible. At least we won’t have to deal with “but it works with Google” this time. Edge-case implies it is something that should be accepted which is why I came back the unequivocal malformed. Mark > >>> On 7 Oct 2020, at 04:40, Viktor Dukhovni <[email protected]> wrote: >>> >>> After an algorithm rollover (RSA 8 -> ECDSA P256 13) a couple of days >>> backs, two domains now have new zero-length RSA 8 KSKs, along with >>> working new ECDSA KSKs: >>> >>> https://stats.dnssec-tools.org/explore/?nlagriculture.nl >>> https://stats.dnssec-tools.org/explore/?nlenergyandclimatechange.nl >>> >>> >>> nlagriculture.nl. IN DNSKEY 257 3 8 ; NoError >>> nlenergyandclimatechange.nl. IN DNSKEY 257 3 8 ; NoError >>> >>> Unbound validates the DNSKEY RRset just fine, but these give DNSViz some >>> indigestion: >>> >>> https://dnsviz.net/d/nlagriculture.nl/X3yhPg/dnssec/ >>> https://dnsviz.net/d/nlenergyandclimatechange.nl/X3yhXg/dnssec/ >>> >>> I wonder whether any other tools >>> (especially resolvers) have difficulties with these... > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
