[dns-operations] Any DNAME usage experience?

Mark Andrews marka at isc.org
Tue Mar 31 22:37:04 UTC 2020



> On 31 Mar 2020, at 23:03, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
> 
> On 3/31/20 6:47 AM, Brian Somers wrote:
>> One useful thing I could say (If you haven’t hit delete yet) is that I *HAVE* seen RRSIGs with compressed signers in the wild, so never assume that, just because RFCs say MUST NOT, you’ll never see these horrible things.
> 
> Sure, validators MUST NOT crash on those, etc... but does that mean they
> SHOULD accept such signatures?  I don't think so.  (unless there's some
> additional motivation)

Well BIND has rejected them in RRSIGs from the get go.  They are also rejected
is SIG records.  So while Brian may have seen them, I would presume that what
ever was generating them has been fixed.

static inline isc_result_t
fromwire_rrsig(ARGS_FROMWIRE) {
...
	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);

which went into the code on 2003-09-30

and dns_name_fromwire has

                        } else if (c >= 192) {
                                /*
                                 * Ordinary 14-bit pointer.
                                 */
                                if ((dctx->allowed & DNS_COMPRESS_GLOBAL14) ==
                                    0) {
                                        return (DNS_R_DISALLOWED);
                                }
                                new_current = c & 0x3F;
                                state = fw_newcurrent;

Mark


> --Vladimir
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list