DNSSEC DS Record
Evan Hunt
each at isc.org
Fri Jul 14 23:25:55 UTC 2017
On Fri, Jul 14, 2017 at 05:11:18PM -0500, /dev/rob0 wrote:
> > Does zbc.com (for example) need DS, or is just passed by the TLD?
>
> Zbc.com. is not a zone, it is a CNAME in the com. TLD. There would
> be no NS to delegate to, therefore no DS.
Actually it *is* a zone: the .com TLD delegates to servers at iidns.com,
which then return a CNAME at the zone apex, but only if the query is for
type A. For other query types including DNSKEY, they return NOERROR/NODATA.
This is a bad idea and they should stop doing it.
If zbc.com were to be signed, it would need a DS in .com and it would also
need a DNSKEY at zbc.com, which would be occluded by the cached CNAME, and
DNSSEC validation would fail.
(This is more or less the exact use case for the proposed ANAME record.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list