[dns-operations] Any DNAME usage experience?

Wed Apr 1 18:43:56 UTC 2020

On Wed, Apr 01, 2020 at 08:22:57AM -0700, Brian Somers wrote:

> The offending query was: dig +dnssec ecfr.gov @ns2.gpo.gov
> 
> We see this in the attached cap data:
> ….
>         0x0060:  0001 0702 0000 7080 5e93 a858 5e81 2fc6  ......p.^..X^./.
>                     |  | |         |         |         |
>         covered     A  | |         |         |         |
>         algorithm      7 |         |         |         |
>         labels           2         |         |         |
>         original-ttl           28800         |         |
>         expiry                  20200413122948         |
>         inception                         20200330122237
> 
>         0x0070:  004a c00c 7d79 e703 b882 9153 b648 0bd0  .J..}y.....S.H..
>                     |    |
>         keytag     74    |
>         signer       <ref>

FWIW, I see AD=1 from 1.1.1.1, 8.8.8.8 and 64.6.64.6 (CloudFlare,
Google, and Verisign), only 9.9.9.9 (Quad9) returns AD=0 for this
domain.

It appears that tolerating compression in the RRSIG is not uncommon.

It is also easy to support, because resolvers that don't understand
RRSIGs, don't need a canonical form, and those that do understand RRSIGs
can easily uncompress the signer, using the same now-read-a-domain-name
code, as is used to handle owner names, CNAME targets, ...

So, while insisting that the signer be uncompressed is RFC-correct, and
nameservers MUST NOT perform compression, it is not clear that there's
much harm in being willing to undo some compression that happens despite
the RFC text.

-- 
    Viktor.