[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail
Paul Vixie
paul at redbarn.org
Sun Apr 19 19:50:12 UTC 2020
On Sunday, 19 April 2020 16:49:36 UTC Viktor Dukhovni wrote:
> ...
>
> > Could this work if the authoriative server returned an RRSIG signature
> > of an empty TLSA RRset?
>
> An interesting hypothetical, my take is "no", that's what NSEC is for.
>
> signed_data = RRSIG_RDATA | RR(1) | RR(2)... where
>
> seems to suggest that there's at least an RR(1), but indeed the language
> is not 100% clear on whether signatures of empty RRsets are valid.
if the rrset is empty, a validator is within its rights not to look for an
RRSIG at all. so, generating one even if possible would be fruitless.
--
Paul
More information about the dns-operations
mailing list