DNSSEC DS Record
each at isc.org
Fri Jul 14 23:25:55 UTC 2017
On Fri, Jul 14, 2017 at 05:11:18PM -0500, /dev/rob0 wrote:
> > Does zbc.com (for example) need DS, or is just passed by the TLD?
> Zbc.com. is not a zone, it is a CNAME in the com. TLD. There would
> be no NS to delegate to, therefore no DS.
Actually it *is* a zone: the .com TLD delegates to servers at iidns.com,
which then return a CNAME at the zone apex, but only if the query is for
type A. For other query types including DNSKEY, they return NOERROR/NODATA.
This is a bad idea and they should stop doing it.
If zbc.com were to be signed, it would need a DS in .com and it would also
need a DNSKEY at zbc.com, which would be occluded by the cached CNAME, and
DNSSEC validation would fail.
(This is more or less the exact use case for the proposed ANAME record.)
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users