[dns-operations] Validation anomalies under gpo.gov

Shumon Huque shuque at gmail.com
Sat Apr 4 04:47:59 UTC 2020


On Fri, Apr 3, 2020 at 4:54 PM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

>
> The AD=1 replies from Google and Verisign are not "wrong".  They just
> reflect the fact that any ancestor zone is in principle free to bypass
> delegation and return "unexpected" signed answers for a child domain,
> legitimately or otherwise.


In this case, I think the explanation might be a bit simpler. The parent
zone
isn't really bypassing anything. The behavior is likely a result of the
fact that
both the parent (gpo.gov) and child (access.gpo.gov) are served by the same
set of nameservers. An incoming query containing the full qname (as opposed
to
qname minimization), will cause most authoritative servers to find the
closest
enclosing zone for the query (i.e. the child zone) and answer directly from
that.
And since the signer for permanent.access.gpo.gov is claimed to be gpo.gov,
it validates, and the broken delegation isn't even being seen.

Cloudflare I believe does qname minimization, so is likely reacting to
discovery
of the broken delegation.

Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200404/e4a9bae8/attachment.html>


More information about the dns-operations mailing list