[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Thu Apr 21 09:07:40 UTC 2022


On 4/21/22 03:15, Mark Andrews wrote:
> My main worry is this, correct, cache behaviour breaks DNSSEC validation through a recursive
> server.

Yes, same with Knot Resolver.  When communicating with auths directly it 
does work I think, but it never worked with forwarding when signed (for us).

Consequently, we know that these breakages don't have significant 
practical impact, due to some real-life deployments which default to 
forwarding with validation (by Knot Resolver; e.g. Turris).

--Vladimir




More information about the dns-operations mailing list