[Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus
tore at fud.no
Tue Sep 3 17:43:08 BST 2019
> OK. scratch that. Looks like we just captured an irrelevant key-rollover.
> The problem here is that the reply to the original query contains an
> unsigned RRset of NS records in the auth section. Said NS records are in
> a signed zone, which flags them as bogus. As far as I can see, that's
> correct for records in the answer section, but for records in the auth
> section, it merely renders the reply as insecure. That would seem to
> make the AD bit rather useless, but I guess it's useless anyway.....
> Attempts to fix this.
> Thanks again for your work testing and diagnosing this.
I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!
More information about the Dnsmasq-discuss