[dns-operations] Edge-case, zero-length DNSKEYs
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Oct 6 21:07:56 UTC 2020
On Wed, Oct 07, 2020 at 07:27:47AM +1100, Mark Andrews wrote:
> They are just malformed. No key material is not permitted with DNSKEY.
> it’s one of the differences to KEY.
Yes, I am aware they're malformed, my question is whether this then
causes problems for various tools and resolvers. Among the major
public DNS providers, a DNSKEY lookup returns:
* CloudFlare - NOERROR
* Google - SERVFAIL
* OpenDNS - NOERROR
* Quad9 - NOERROR
* Verisign - NOERROR
So at least Google finds the DNSKEY RRset in question problematic
overall, despite the valid ECDSA P256 signature.
> > On 7 Oct 2020, at 04:40, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > After an algorithm rollover (RSA 8 -> ECDSA P256 13) a couple of days
> > backs, two domains now have new zero-length RSA 8 KSKs, along with
> > working new ECDSA KSKs:
> >
> > https://stats.dnssec-tools.org/explore/?nlagriculture.nl
> > https://stats.dnssec-tools.org/explore/?nlenergyandclimatechange.nl
> >
> >
> > nlagriculture.nl. IN DNSKEY 257 3 8 ; NoError
> > nlenergyandclimatechange.nl. IN DNSKEY 257 3 8 ; NoError
> >
> > Unbound validates the DNSKEY RRset just fine, but these give DNSViz some indigestion:
> >
> > https://dnsviz.net/d/nlagriculture.nl/X3yhPg/dnssec/
> > https://dnsviz.net/d/nlenergyandclimatechange.nl/X3yhXg/dnssec/
> >
> > I wonder whether any other tools
> > (especially resolvers) have difficulties with these...
--
Viktor.
More information about the dns-operations
mailing list