[dns-operations] Any DNAME usage experience?
ietf-dane at dukhovni.org
Wed Apr 1 18:43:56 UTC 2020
On Wed, Apr 01, 2020 at 08:22:57AM -0700, Brian Somers wrote:
> The offending query was: dig +dnssec ecfr.gov @ns2.gpo.gov
> We see this in the attached cap data:
> 0x0060: 0001 0702 0000 7080 5e93 a858 5e81 2fc6 ......p.^..X^./.
> | | | | | |
> covered A | | | | |
> algorithm 7 | | | |
> labels 2 | | |
> original-ttl 28800 | |
> expiry 20200413122948 |
> inception 20200330122237
> 0x0070: 004a c00c 7d79 e703 b882 9153 b648 0bd0 .J..}y.....S.H..
> | |
> keytag 74 |
> signer <ref>
FWIW, I see AD=1 from 188.8.131.52, 184.108.40.206 and 220.127.116.11 (CloudFlare,
Google, and Verisign), only 18.104.22.168 (Quad9) returns AD=0 for this
It appears that tolerating compression in the RRSIG is not uncommon.
It is also easy to support, because resolvers that don't understand
RRSIGs, don't need a canonical form, and those that do understand RRSIGs
can easily uncompress the signer, using the same now-read-a-domain-name
code, as is used to handle owner names, CNAME targets, ...
So, while insisting that the signer be uncompressed is RFC-correct, and
nameservers MUST NOT perform compression, it is not clear that there's
much harm in being willing to undo some compression that happens despite
the RFC text.
More information about the dns-operations