Question about DNSSEC
Bob McDonald
bmcdonaldjr at gmail.com
Fri Nov 1 15:20:49 UTC 2024
The host is www.irs.gov.
A further question.
DIG sets the DO flag even though the second and third entries in the CNAME
chain are not signed. There's basically no indication that there's really
any issue.
DELV indicates the host as "fully validated" then flags the second entry in
the CNAME chain as an "unsigned answer".
Should there be some further checking/indications of the issue?
There's also the issue of CNAME chaining which as I recall was at one time
considered bad form. However, it's used extensively across the internet.
(something like domain apex
CNAMEs...)
Here's the DIG and DELV output (recursive server is running bind 9.20.2 on
a raspberrypi under freeBSD 14.1-p6):
root at RaspberryPI-00:~ # dig www.irs.gov. +dnssec
; <<>> DiG 9.20.2 <<>> www.irs.gov. +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good)
;; QUESTION SECTION:
;www.irs.gov. IN A
;; ANSWER SECTION:
www.irs.gov. 300 IN CNAME www.irs.gov.edgekey.net.
www.irs.gov. 300 IN RRSIG CNAME 8 3 300
20241115030055 20241101020055 49935 irs.gov.
GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o
MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31
Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3
d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5
LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX
bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==
www.irs.gov.edgekey.net. 300 IN CNAME e127382.dscna.akamaiedge.net
.
e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.29
e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.37
;; AUTHORITY SECTION:
dscna.akamaiedge.net. 4000 IN NS n0dscna.akamaiedge.net.
dscna.akamaiedge.net. 4000 IN NS n3dscna.akamaiedge.net.
dscna.akamaiedge.net. 4000 IN NS n2dscna.akamaiedge.net.
dscna.akamaiedge.net. 4000 IN NS n5dscna.akamaiedge.net.
dscna.akamaiedge.net. 4000 IN NS n4dscna.akamaiedge.net.
dscna.akamaiedge.net. 4000 IN NS n1dscna.akamaiedge.net.
dscna.akamaiedge.net. 4000 IN NS n6dscna.akamaiedge.net.
dscna.akamaiedge.net. 4000 IN NS n7dscna.akamaiedge.net.
;; ADDITIONAL SECTION:
n0dscna.akamaiedge.net. 4000 IN AAAA 2600:1480:e800::c0
n0dscna.akamaiedge.net. 4000 IN A 88.221.81.192
n1dscna.akamaiedge.net. 4000 IN A 23.63.249.205
n2dscna.akamaiedge.net. 4000 IN A 23.44.6.12
n3dscna.akamaiedge.net. 4000 IN A 23.44.6.9
n4dscna.akamaiedge.net. 4000 IN A 23.44.6.38
n5dscna.akamaiedge.net. 4000 IN A 23.44.6.13
n6dscna.akamaiedge.net. 4000 IN A 23.44.6.22
n7dscna.akamaiedge.net. 4000 IN A 23.218.252.156
;; Query time: 425 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Nov 01 14:51:42 UTC 2024
;; MSG SIZE rcvd: 803
root at RaspberryPI-00:~ # delv www.irs.gov.
; fully validated
www.irs.gov. 297 IN CNAME www.irs.gov.edgekey.net.
www.irs.gov. 297 IN RRSIG CNAME 8 3 300
20241115030055 20241101020055 49935 irs.gov.
GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o
MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31
Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3
d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5
LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX
bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==
; unsigned answer
www.irs.gov.edgekey.net. 75 IN CNAME e127382.dscna.akamaiedge.net
.
e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.6
e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.30
Regards,
Bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241101/9eccfb20/attachment.htm>
More information about the bind-users
mailing list