[dns-operations] Any DNAME usage experience?

Brian Somers bsomers at opendns.com
Wed Apr 1 15:22:57 UTC 2020


On Mar 31, 2020, at 3:37 PM, Mark Andrews <marka at isc.org> wrote:
> 
> 
> 
>> On 31 Mar 2020, at 23:03, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
>> 
>> On 3/31/20 6:47 AM, Brian Somers wrote:
>>> One useful thing I could say (If you haven’t hit delete yet) is that I *HAVE* seen RRSIGs with compressed signers in the wild, so never assume that, just because RFCs say MUST NOT, you’ll never see these horrible things.
>> 
>> Sure, validators MUST NOT crash on those, etc... but does that mean they
>> SHOULD accept such signatures?  I don't think so.  (unless there's some
>> additional motivation)
> 
> Well BIND has rejected them in RRSIGs from the get go.  They are also rejected
> is SIG records.  So while Brian may have seen them, I would presume that what
> ever was generating them has been fixed.

It doesn’t look like it….

The offending query was: dig +dnssec ecfr.gov @ns2.gpo.gov

We see this in the attached cap data:
….
        0x0060:  0001 0702 0000 7080 5e93 a858 5e81 2fc6  ......p.^..X^./.
                    |  | |         |         |         |
        covered     A  | |         |         |         |
        algorithm      7 |         |         |         |
        labels           2         |         |         |
        original-ttl           28800         |         |
        expiry                  20200413122948         |
        inception                         20200330122237

        0x0070:  004a c00c 7d79 e703 b882 9153 b648 0bd0  .J..}y.....S.H..
                    |    |
        keytag     74    |
        signer       <ref>

….

—
Brian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecfr.gov.pcap
Type: application/octet-stream
Size: 942 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200401/d9cf7d14/attachment.obj>


More information about the dns-operations mailing list