[dns-operations] DNSSEC validation - salliemae.com

Joe Abley jabley at hopcount.ca
Thu Aug 8 16:54:03 UTC 2019

On 7 Aug 2019, at 09:25, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:

> I thought DNSSEC validation was to be "all or nothing". How can you be
> doing DNSSEC validation but still passing back RR's that do not pass due
> to not having any signature ?

I haven't looked into this particular example, but be aware that a well-functioning validator will not block records that are verifiably insecure (i.e. they have no signature, and there's no indication that they ought to have one). This is not the same situation as a response being received with a missing signature where one is expected.

Since the root zone and most TLD zones are signed, and since most domains today operated by registrants are not, it's actually tremendously normal for part of the resolution chain to have signatures that need to be valid and part to have no need for signatures. Insecure delegations and CNAME targets in zones that are insecure are common scenarios.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190808/6a08e4ee/attachment.sig>

More information about the dns-operations mailing list