On Wed, Apr 29, 2020 at 5:50 PM Ted Lemon <mel...@fugue.com> wrote: > Is there an RFC or draft that talks about what the right thing is to do > when an unsigned CNAME points to a record in a signed zone?
That is, suppose we are doing validation. The CNAME doesn’t validate, > because it’s not signed. When we look up the record the CNAME points to, do > we set the DO bit? Do we validate the answer? Or do we assume that because > the CNAME isn’t signed, we don’t need to validate what it points to? > Hi Ted, I believe a validating resolver always sets the DO-bit in outbound queries. The answer in your example can't be authenticated (i.e. no AD bit can be set) because not all the answers (namely the CNAME) in the response have been authenticated (per RFC 4035, Section 3.2.3). But a resolver would still authenticate the RR type at the signed target of the CNAME (assuming the target has an unbroken chain to the trust anchor), and record that RRset as authenticated. Otherwise, if it later received a query directly for the target name/type, it could not return the answer that it incorrectly didn't bother to authenticate. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
