[dns-operations] Edge-case, zero-length DNSKEYs
marka at isc.org
Tue Oct 6 21:22:31 UTC 2020
On 7 Oct 2020, at 08:07, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> On Wed, Oct 07, 2020 at 07:27:47AM +1100, Mark Andrews wrote:
>> They are just malformed. No key material is not permitted with DNSKEY.
>> it’s one of the differences to KEY.
> Yes, I am aware they're malformed, my question is whether this then
> causes problems for various tools and resolvers. Among the major
> public DNS providers, a DNSKEY lookup returns:
> * CloudFlare - NOERROR
> * Google - SERVFAIL
> * OpenDNS - NOERROR
> * Quad9 - NOERROR
> * Verisign - NOERROR
> So at least Google finds the DNSKEY RRset in question problematic
> overall, despite the valid ECDSA P256 signature.
This is where garbage should be rejected as soon as possible. At least
we won’t have to deal with “but it works with Google” this time.
Edge-case implies it is something that should be accepted which is why
I came back the unequivocal malformed.
>>> On 7 Oct 2020, at 04:40, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>>> After an algorithm rollover (RSA 8 -> ECDSA P256 13) a couple of days
>>> backs, two domains now have new zero-length RSA 8 KSKs, along with
>>> working new ECDSA KSKs:
>>> nlagriculture.nl. IN DNSKEY 257 3 8 ; NoError
>>> nlenergyandclimatechange.nl. IN DNSKEY 257 3 8 ; NoError
>>> Unbound validates the DNSKEY RRset just fine, but these give DNSViz some indigestion:
>>> I wonder whether any other tools
>>> (especially resolvers) have difficulties with these...
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations