[dns-operations] Any DNAME usage experience?
bsomers at opendns.com
Wed Apr 1 15:22:57 UTC 2020
On Mar 31, 2020, at 3:37 PM, Mark Andrews <marka at isc.org> wrote:
>> On 31 Mar 2020, at 23:03, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
>> On 3/31/20 6:47 AM, Brian Somers wrote:
>>> One useful thing I could say (If you haven’t hit delete yet) is that I *HAVE* seen RRSIGs with compressed signers in the wild, so never assume that, just because RFCs say MUST NOT, you’ll never see these horrible things.
>> Sure, validators MUST NOT crash on those, etc... but does that mean they
>> SHOULD accept such signatures? I don't think so. (unless there's some
>> additional motivation)
> Well BIND has rejected them in RRSIGs from the get go. They are also rejected
> is SIG records. So while Brian may have seen them, I would presume that what
> ever was generating them has been fixed.
It doesn’t look like it….
The offending query was: dig +dnssec ecfr.gov @ns2.gpo.gov
We see this in the attached cap data:
0x0060: 0001 0702 0000 7080 5e93 a858 5e81 2fc6 ......p.^..X^./.
| | | | | |
covered A | | | | |
algorithm 7 | | | |
labels 2 | | |
original-ttl 28800 | |
expiry 20200413122948 |
0x0070: 004a c00c 7d79 e703 b882 9153 b648 0bd0 .J..}y.....S.H..
keytag 74 |
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 942 bytes
Desc: not available
More information about the dns-operations