[dns-operations] Unbound vs. dnsviz DNSSEC edge-case, which is right?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Aug 10 14:49:53 UTC 2016
On Wed, Aug 10, 2016 at 12:02:04PM +0100, Tony Finch wrote:
> BIND thinks this is OK:
> [...]
> But the query subsequently fails when it tries to follow the CNAME because:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37630
> ;s07.hello-clarice.net. IN TLSA
Thanks for that, my mistake, indeed if I ask for CNAME instead of
TLSA, unbound successfully verifies the CNAME response, and correctly
returns an "insecure" result due to the opt-out bit. The SERVFAIL
I see for TLSA is due to the failure to chase the CNAME, which lies
in a lame zone. It makes sense now.
[ The failure in TLSA resolution breaks DANE SMTP delivery to the
domain with the lame wildcard CNAME, but that's an operator error
not an unbound bug. ]
FWIW, this problem is observed at:
_25._tcp.damhockey.se. has CNAME record s07.hello-clarice.net. (insecure)
_25._tcp.xn--frjestad-0za.se. has CNAME record s07.hello-clarice.net. (insecure)
_25._tcp.hockeyshop.se. has CNAME record s07.hello-clarice.net. (insecure)
_25._tcp.hockeyshopen.se. has CNAME record s07.hello-clarice.net. (insecure)
_25._tcp.hockeyportalen.se. has CNAME record s07.hello-clarice.net. (insecure)
_25._tcp.tjejhockey.se. has CNAME record s07.hello-clarice.net. (insecure)
and related issues at:
_25._tcp.vasterasaren.se. IN TLSA ?
_25._tcp.bravemonday.se. IN TLSA ?
_25._tcp.e-kommun.se. IN TLSA ?
--
Viktor.
More information about the dns-operations
mailing list