[Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

Simon Kelley simon at thekelleys.org.uk
Mon Mar 27 17:38:44 BST 2017


This is a real problem, and I plan to look at it (and all the other
stuff I've been ignoring.....) ASAP. I'm moving house just now, so very
short of time. If I don't produce something by the end of next week,
please prod me again.


Cheers,

Simon.


On 27/03/17 16:37, Patryk Szczygłowski wrote:
> Hello,
> 
> I have domain signed with DNSSEC: patryk.one.pl <http://patryk.one.pl>
> The issue is, the parent one.pl <http://one.pl> is completely void of
> DNSSEC support (and it will probably never get fixed).
> 
> Therefore:
> - . is signed
> - .pl is signed, no DS for .one.pl <http://one.pl>
> - .one.pl <http://one.pl> is NOT signed, no DNSKEY, no DS for
> .patryk.one.pl <http://patryk.one.pl>
> - .patryk.one.pl <http://patryk.one.pl> is signed
> 
> My domain is registered with dlv.isc.org <http://dlv.isc.org>, but this
> not important anymore, as they announced closing down.
> 
> Have a look here:
> http://dnsviz.net/d/patryk.one.pl/dnssec/
> 
> The issue is dnsmasq is returning BOGUS instead of INSECURE. In
> consequence the domain does not resolve.
> I believe it is in contradiction with RFC:
> https://tools.ietf.org/html/rfc4035#section-5.1
> 
> It should mark BOGUS only if top-bottom validation determies DS in
> parent but missing DNSKEY in child.
> 
> Current behaviour is promoting a race condition, when the domain owner
> enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
> 
> The same situation was few years ago, when TLDs were gradually enabled,
> when for a while they were signed with DNSKEY without DS being set on
> parent, only to be put several months later. There are still unsigned
> TLDs and I think they will stop being resolved completely when this
> happens again.
> 
> Google Public DNS behaviour is correct.
> 
> -- 
> Patryk Szczygłowski
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170327/9593be64/attachment.sig>


More information about the Dnsmasq-discuss mailing list