[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Paul Vixie paul at redbarn.org
Sun Apr 19 19:50:12 UTC 2020


On Sunday, 19 April 2020 16:49:36 UTC Viktor Dukhovni wrote:
> ...
> 
> > Could this work if the authoriative server returned an RRSIG signature
> > of an empty TLSA RRset?
> 
> An interesting hypothetical, my take is "no", that's what NSEC is for.
> 
>     signed_data = RRSIG_RDATA | RR(1) | RR(2)...  where
> 
> seems to suggest that there's at least an RR(1), but indeed the language
> is not 100% clear on whether signatures of empty RRsets are valid.

if the rrset is empty, a validator is within its rights not to look for an 
RRSIG at all. so, generating one even if possible would be fruitless.

-- 
Paul




More information about the dns-operations mailing list