[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

[Mark Andrews]

We had a report on bind-users that DNSSEC validation through a forwarder was failing.

On investigation it turns out that the failing zones had CNAME records at the zone
apex and the DS lookup was returning the cached instance of that instead of the signed
non-existence of the DS RRset from the parent zone.  For zones that don’t break the
prohibition against CNAME and other data this does not happen.  DS is not a record that
is supposed to co-exist with CNAME and implementing the simple workaround of not match
DS lookups against CNAMEs is likely to have other consequences as returning CNAME is the
correct response for non-apex names with a CNAME record.

Bring on HTTPS support in browsers as then this CNAME at the apex idiocy can go away.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org