On Mon, Mar 27, 2023 at 06:30:02PM +0200, Emmanuel Fusté wrote:
> > Do you have a list of operators that currently return just "RRSIG NSEC"
> > for ENTs? Do you [know] what software they are running?
>
> I double check: route53/AWS currently return just "RRSIG NSEC"for ENTs.
Anyone else?
> Even worse, it seems that they infer answers to non edns or cleared DO
> bit questions from a internal DNSSEC response even for non DNSSEC
> enabled zone:
I am struggling to understand this, can you give an example?
> - they currently return NXDOMAIN for ENT on apparently non DNSSEC signed
> zones.
The ENT handling at AWS has been known to be broken for some time.
https://twitter.com/VDukhovni/status/1443681398905360384
https://twitter.com/VDukhovni/status/1445236728269258753
> > The only other option is to introduce yet another sentinel that signals
> > that the node in question is an ENT, so that the bare "RRSIG NSEC"
> > combination is ultimately never used.
>
> Yes it was my conclusion too.
I am not entirely keen on yet another sentinel, but feel free to suggest it.
The draft is currently under discussion.
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
