[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail
paul at redbarn.org
Sun Apr 19 19:50:12 UTC 2020
On Sunday, 19 April 2020 16:49:36 UTC Viktor Dukhovni wrote:
> > Could this work if the authoriative server returned an RRSIG signature
> > of an empty TLSA RRset?
> An interesting hypothetical, my take is "no", that's what NSEC is for.
> signed_data = RRSIG_RDATA | RR(1) | RR(2)... where
> seems to suggest that there's at least an RR(1), but indeed the language
> is not 100% clear on whether signatures of empty RRsets are valid.
if the rrset is empty, a validator is within its rights not to look for an
RRSIG at all. so, generating one even if possible would be fruitless.
More information about the dns-operations