[Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus
Patryk Szczygłowski
patryk at patryk.net
Mon Mar 27 16:37:09 BST 2017
Hello,
I have domain signed with DNSSEC: patryk.one.pl
The issue is, the parent one.pl is completely void of DNSSEC support (and
it will probably never get fixed).
Therefore:
- . is signed
- .pl is signed, no DS for .one.pl
- .one.pl is NOT signed, no DNSKEY, no DS for .patryk.one.pl
- .patryk.one.pl is signed
My domain is registered with dlv.isc.org, but this not important anymore,
as they announced closing down.
Have a look here:
http://dnsviz.net/d/patryk.one.pl/dnssec/
The issue is dnsmasq is returning BOGUS instead of INSECURE. In consequence
the domain does not resolve.
I believe it is in contradiction with RFC:
https://tools.ietf.org/html/rfc4035#section-5.1
It should mark BOGUS only if top-bottom validation determies DS in parent
but missing DNSKEY in child.
Current behaviour is promoting a race condition, when the domain owner
enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
The same situation was few years ago, when TLDs were gradually enabled,
when for a while they were signed with DNSKEY without DS being set on
parent, only to be put several months later. There are still unsigned TLDs
and I think they will stop being resolved completely when this happens
again.
Google Public DNS behaviour is correct.
--
Patryk Szczygłowski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170327/3e950720/attachment.html>
More information about the Dnsmasq-discuss
mailing list