[dns-operations] Stale NTA for "peek.ru" at Cloudflare?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Mar 13 21:28:03 UTC 2020

On Fri, Mar 13, 2020 at 01:52:04PM -0700, Marek Vavruša wrote:

> On Fri, 13 Mar 2020 at 12:56, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > I am running into either a stale NTA or perhaps special-casing of
> > algorithm 6 (DSA-NSEC3-SHA1) when using Cloudflare to query the TLSA
> > records of beta.peek.ru, which have valid DSA-NSEC3-SHA1 (deprecated)
> > 1024-bit signatures:
> >
> >     https://dnsviz.net/d/_25._tcp.beta.peek.ru/XmvZ6A/dnssec/
> The DSA-NSEC3-SHA1 has been deprecated in
> https://tools.ietf.org/html/rfc8624 so zones below DS with these keys
> are effectively treated as unsigned zones (rfc4035 5.2), but you raise
> a good point that the method of doing so is not consistent.

Treating them as unsigned is fine for setting the AD bit, but not
returning the RRSIG when a downstream iterative resolver sets DO=1 (even
with CD=1) means that downstream resolvers that still validate DSA
now consider the domain "bogus", not just unsigned.

The new RFC8624 (https://tools.ietf.org/html/rfc8624#section-3.1) status
of DSA-NSEC3-SHA1 (6) as "MUST NOT" for both signing and validation is
less than one year old, and there are still fielded resolvers that have
not been updated to ignore it, including "unbound" 1.9.6, which was,
prior to Feb 20th, the latest release.  [ My DANE survey is presently
running on a Fedora 31 system with unbound 1.9.6. ]

Therefore, it is I think somewhat premature to drop DSA RRSIGs in
response to DO=1 queries.  In the short term (next couple of years)
RRSIG and NSEC records should probably be forwarded to downstream
resolvers that set DO=1.


More information about the dns-operations mailing list