<html><head></head><body><div>
<div dir="auto" id="compose-body-wrapper"><div dir="auto">Even with a CNAME record, the delv command will validate each step of the resolution. You can use the +vtrace option to see each validation and +mtrace to see each individual message.</div><div dir="auto">-Evan</div><div dir="auto"><br></div><div id="tmjah_g_1299" dir="auto">Get <a href="https://bluemail.me" target="_blank" rel="noopener noreferrer">BlueMail</a> for Desktop</div><br></div><div dir="auto" class="replyHeader">Ondřej Surý wrote:</div><br><br><div><blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite">DO flag is indication to “do DNSSEC”, it has no other meaning. You should be looking for AD flag.<div><br></div><div>As for delv output - it prints out which names are validated and those that are not. I don’t see anything wrong here.<br id="lineBreakAtBeginningOfSignature"><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 1. 11. 2024, at 16:21, Bob McDonald <bmcdonaldjr@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">The host is <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>.<div><br></div><div>A further question.</div><div><br></div><div>DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue.</div><div><br></div><div>DELV indicates the host as "fully validated" then flags the second entry in the CNAME chain as an "unsigned answer".</div><div><br></div><div>Should there be some further checking/indications of the issue?</div><div><br></div><div>There's also the issue of CNAME chaining which as I recall was at one time considered bad form. However, it's used extensively across the internet. (something like domain apex </div><div>CNAMEs...)</div><div><br></div><div>Here's the DIG and DELV output (recursive server is running bind 9.20.2 on a raspberrypi under freeBSD 14.1-p6):</div><div><br></div><div>root@RaspberryPI-00:~ # dig <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. +dnssec<br><br></div><div>; <<>> DiG 9.20.2 <<>> <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. +dnssec<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 1232<br>; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good)<br>;; QUESTION SECTION:<br>;<a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. IN A<br><br>;; ANSWER SECTION:<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 300 IN CNAME <a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>.<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 300 IN RRSIG CNAME 8 3 300 20241115030055 20241101020055 49935 <a href="http://irs.gov" target="_blank" rel="noopener noreferrer">irs.gov</a>. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==<br><a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>. 300 IN CNAME <a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>.<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.29<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.37<br><br>;; AUTHORITY SECTION:<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n0dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n0dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n3dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n3dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n2dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n2dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n5dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n5dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n4dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n4dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n1dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n1dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n6dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n6dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n7dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n7dscna.akamaiedge.net</a>.<br><br>;; ADDITIONAL SECTION:<br><a href="http://n0dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n0dscna.akamaiedge.net</a>. 4000 IN AAAA 2600:1480:e800::c0<br><a href="http://n0dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n0dscna.akamaiedge.net</a>. 4000 IN A 88.221.81.192<br><a href="http://n1dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n1dscna.akamaiedge.net</a>. 4000 IN A 23.63.249.205<br><a href="http://n2dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n2dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.12<br><a href="http://n3dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n3dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.9<br><a href="http://n4dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n4dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.38<br><a href="http://n5dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n5dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.13<br><a href="http://n6dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n6dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.22<br><a href="http://n7dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n7dscna.akamaiedge.net</a>. 4000 IN A 23.218.252.156<br><br>;; Query time: 425 msec<br>;; SERVER: ::1#53(::1) (UDP)<br>;; WHEN: Fri Nov 01 14:51:42 UTC 2024<br>;; MSG SIZE rcvd: 803<br><br></div><div><br></div><div>root@RaspberryPI-00:~ # delv <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>.<br>; fully validated<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 297 IN CNAME <a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>.<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 297 IN RRSIG CNAME 8 3 300 20241115030055 20241101020055 49935 <a href="http://irs.gov" target="_blank" rel="noopener noreferrer">irs.gov</a>. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==<br><br>; unsigned answer<br><a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>. 75 IN CNAME <a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>.<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.6<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.30<br></div><div><br></div><div><br></div><div>Regards,</div><div><br></div><div>Bob</div><div><br></div></div>
-- <br>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br><br>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.<br><br><br>bind-users mailing list<br>bind-users@lists.isc.org<br>https://lists.isc.org/mailman/listinfo/bind-users<br></div></blockquote></div></blockquote></div><div><blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite">DO flag is indication to “do DNSSEC”, it has no other meaning. You should be looking for AD flag.<div><br></div><div>As for delv output - it prints out which names are validated and those that are not. I don’t see anything wrong here.<br id="lineBreakAtBeginningOfSignature"><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 1. 11. 2024, at 16:21, Bob McDonald <bmcdonaldjr@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">The host is <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>.<div><br></div><div>A further question.</div><div><br></div><div>DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue.</div><div><br></div><div>DELV indicates the host as "fully validated" then flags the second entry in the CNAME chain as an "unsigned answer".</div><div><br></div><div>Should there be some further checking/indications of the issue?</div><div><br></div><div>There's also the issue of CNAME chaining which as I recall was at one time considered bad form. However, it's used extensively across the internet. (something like domain apex </div><div>CNAMEs...)</div><div><br></div><div>Here's the DIG and DELV output (recursive server is running bind 9.20.2 on a raspberrypi under freeBSD 14.1-p6):</div><div><br></div><div>root@RaspberryPI-00:~ # dig <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. +dnssec<br><br></div><div>; <<>> DiG 9.20.2 <<>> <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. +dnssec<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 1232<br>; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good)<br>;; QUESTION SECTION:<br>;<a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. IN A<br><br>;; ANSWER SECTION:<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 300 IN CNAME <a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>.<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 300 IN RRSIG CNAME 8 3 300 20241115030055 20241101020055 49935 <a href="http://irs.gov" target="_blank" rel="noopener noreferrer">irs.gov</a>. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==<br><a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>. 300 IN CNAME <a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>.<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.29<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.37<br><br>;; AUTHORITY SECTION:<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n0dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n0dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n3dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n3dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n2dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n2dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n5dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n5dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n4dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n4dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n1dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n1dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n6dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n6dscna.akamaiedge.net</a>.<br><a href="http://dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">dscna.akamaiedge.net</a>. 4000 IN NS <a href="http://n7dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n7dscna.akamaiedge.net</a>.<br><br>;; ADDITIONAL SECTION:<br><a href="http://n0dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n0dscna.akamaiedge.net</a>. 4000 IN AAAA 2600:1480:e800::c0<br><a href="http://n0dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n0dscna.akamaiedge.net</a>. 4000 IN A 88.221.81.192<br><a href="http://n1dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n1dscna.akamaiedge.net</a>. 4000 IN A 23.63.249.205<br><a href="http://n2dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n2dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.12<br><a href="http://n3dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n3dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.9<br><a href="http://n4dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n4dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.38<br><a href="http://n5dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n5dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.13<br><a href="http://n6dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n6dscna.akamaiedge.net</a>. 4000 IN A 23.44.6.22<br><a href="http://n7dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">n7dscna.akamaiedge.net</a>. 4000 IN A 23.218.252.156<br><br>;; Query time: 425 msec<br>;; SERVER: ::1#53(::1) (UDP)<br>;; WHEN: Fri Nov 01 14:51:42 UTC 2024<br>;; MSG SIZE rcvd: 803<br><br></div><div><br></div><div>root@RaspberryPI-00:~ # delv <a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>.<br>; fully validated<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 297 IN CNAME <a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>.<br><a href="http://www.irs.gov" target="_blank" rel="noopener noreferrer">www.irs.gov</a>. 297 IN RRSIG CNAME 8 3 300 20241115030055 20241101020055 49935 <a href="http://irs.gov" target="_blank" rel="noopener noreferrer">irs.gov</a>. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q==<br><br>; unsigned answer<br><a href="http://www.irs.gov.edgekey.net" target="_blank" rel="noopener noreferrer">www.irs.gov.edgekey.net</a>. 75 IN CNAME <a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>.<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.6<br><a href="http://e127382.dscna.akamaiedge.net" target="_blank" rel="noopener noreferrer">e127382.dscna.akamaiedge.net</a>. 20 IN A 23.208.28.30<br></div><div><br></div><div><br></div><div>Regards,</div><div><br></div><div>Bob</div><div><br></div></div>
<span>-- </span><br><span>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></div></blockquote></div>
</div></body></html>