We had a report on bind-users that DNSSEC validation through a forwarder was failing.
On investigation it turns out that the failing zones had CNAME records at the zone apex and the DS lookup was returning the cached instance of that instead of the signed non-existence of the DS RRset from the parent zone. For zones that don’t break the prohibition against CNAME and other data this does not happen. DS is not a record that is supposed to co-exist with CNAME and implementing the simple workaround of not match DS lookups against CNAMEs is likely to have other consequences as returning CNAME is the correct response for non-apex names with a CNAME record. Bring on HTTPS support in browsers as then this CNAME at the apex idiocy can go away. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
