Question about DNSSEC
Crist Clark
cjc+bind-users at pumpky.net
Thu Oct 31 23:08:16 UTC 2024
Name names. DNS is out there in public.
There are a LOT of US .gov sites where the .gov is all signed, but it ends
up in $BIGCLOUDPROVIDER that is not.
www.gsa.gov
www.state.gov
www.house.gov
www.senate.gov
www.cia.gov
www.cisa.gov (*ehem*)
www.get.gov (not even .gov is signed?!)
Same thing for a lot of .mil.
On Thu, Oct 31, 2024 at 3:34 PM Mark Andrews <marka at isc.org> wrote:
>
>
> > On 1 Nov 2024, at 09:15, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> >
> > If a host is defined as a CNAME chain where the domain of the host is
> DNSSEC signed but the domain(S) of the target(s) in the CNAME chain are
> not, does that mean that the entry really isn't DNSSEC protected?
>
> Correct. Every element of the chain needs to be DNSSEC signed (and
> validated as secure) for it to be protected.
>
> > I can list an example dig for the host in question but I'm reluctant to
> do so as it's a US gov host.
> >
> > Please advise.
> >
> > Regards,
> >
> > Bob
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241031/af52da2d/attachment-0001.htm>
More information about the bind-users
mailing list