On Wed, Sep 03, 2014 at 10:43:21AM -0400, Wietse Venema wrote:
> > I don't see a CNAME, I get SERVFAIL:
>
> Actually, this depends on your resolver. Search your favorite
> search engine for "DNSSEC wildcard".
Unbound is supposed to handle this correctly. It also SERVFAILs
at Google's 8.8.8.8 validating recursor. I suspect the problem is
related to the wildcard pointing at the root of the zone, rather
than an internal node.
Note for example the below which works fine (mail10 is fiction):
$ dig +ad +noall +comment +ans +auth -t tlsa fail.mail10.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64221
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; ANSWER SECTION:
fail.mail10.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.
;; AUTHORITY SECTION:
clarion-hotels.cz. 3600 IN SOA ns.forpsi.net.
admin.forpsi.com. 2014082501 3600 1800 2592000 3600
While changing mail10 to mail2 (which is not subject to the wildcard)
breaks.
$ dig +ad +noall +comment +ans +auth -t tlsa fail.mail2.clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17132
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
So my resolver can and does validate wildcard CNAMEs, but not in
this case. Whether the problem is on the DNS server or client I
cannot say.
--
Viktor.
