[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

[Vladimír Čunát]

On 4/21/22 03:15, Mark Andrews wrote:
> My main worry is this, correct, cache behaviour breaks DNSSEC validation through a recursive
> server.

Yes, same with Knot Resolver.  When communicating with auths directly it 
does work I think, but it never worked with forwarding when signed (for us).

Consequently, we know that these breakages don't have significant 
practical impact, due to some real-life deployments which default to 
forwarding with validation (by Knot Resolver; e.g. Turris).

--Vladimir