[dns-operations] Stale NTA for "peek.ru" at Cloudflare?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Mar 13 22:01:52 UTC 2020

On Fri, Mar 13, 2020 at 05:28:03PM -0400, Viktor Dukhovni wrote:

> Treating them as unsigned is fine for setting the AD bit, but not
> returning the RRSIG when a downstream iterative resolver sets DO=1 (even
> with CD=1) means that downstream resolvers that still validate DSA
> now consider the domain "bogus", not just unsigned.
> The new RFC8624 (https://tools.ietf.org/html/rfc8624#section-3.1) status
> of DSA-NSEC3-SHA1 (6) as "MUST NOT" for both signing and validation is
> less than one year old, and there are still fielded resolvers that have
> not been updated to ignore it, including "unbound" 1.9.6, which was,
> prior to Feb 20th, the latest release.  [ My DANE survey is presently
> running on a Fedora 31 system with unbound 1.9.6. ]

That said the "MUST NOT" validate algorithms from that table have the
following frequencies in the wild based on my (unavoidably incomplete)
survey of ~10.8 million signed domains:

    dane=> select count(distinct qname), alg from ds where alg in (1,3,6) group by 2 order by 1 desc;
     count | alg
       288 |   1
       234 |   3
        40 |   6

So the scope of the problem is admittedly rather modest, affecting fewer
than 600 of the ~10.8 million domains.


More information about the dns-operations mailing list