<div dir="auto">Name names. DNS is out there in public.</div><div dir="auto"><br></div><div dir="auto">There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not.</div><div dir="auto"><br></div><div dir="auto"><a href="http://www.gsa.gov">www.gsa.gov</a></div><div dir="auto"><a href="http://www.state.gov">www.state.gov</a></div><div dir="auto"><a href="http://www.house.gov">www.house.gov</a></div><div dir="auto"><a href="http://www.senate.gov">www.senate.gov</a></div><div dir="auto"><a href="http://www.cia.gov">www.cia.gov</a></div><div dir="auto"><a href="http://www.cisa.gov">www.cisa.gov</a> (*ehem*)</div><div dir="auto"><a href="http://www.get.gov">www.get.gov</a> (not even .gov is signed?!)</div><div dir="auto"><br></div><div dir="auto">Same thing for a lot of .mil.</div><div dir="auto"><br></div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 31, 2024 at 3:34 PM Mark Andrews <<a href="mailto:marka@isc.org">marka@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><br>
<br>
> On 1 Nov 2024, at 09:15, Bob McDonald <<a href="mailto:bmcdonaldjr@gmail.com" target="_blank">bmcdonaldjr@gmail.com</a>> wrote:<br>
> <br>
> If a host is defined as a CNAME chain where the domain of the host is DNSSEC signed but the domain(S) of the target(s) in the CNAME chain are not, does that mean that the entry really isn't DNSSEC protected?<br>
<br>
Correct. Every element of the chain needs to be DNSSEC signed (and validated as secure) for it to be protected.<br>
<br>
> I can list an example dig for the host in question but I'm reluctant to do so as it's a US gov host.<br>
> <br>
> Please advise.<br>
> <br>
> Regards,<br>
> <br>
> Bob<br>
> -- <br>
> Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> <br>
> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
> <br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
-- <br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
</blockquote></div></div>