On Sat, 9 Sep 2017 13:53:52 -0700 Peter Bowen via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer <a...@andrewayer.name> > wrote: > > > > drill is buggy and insecure. Obviously, such implementations can > > be found. Note that drill is just a "debugging/query" tool, not a > > resolver you would actually use in production. You'll find that the > > production-grade resolver from that family (unbound) correctly > > reports an error when you try to query the CAA record for > > refused.caatestsuite-dnssec.com: https://unboundtest.com/ > > Just as I received this, I finished testing with unbound, to see what > it does. See the results below. For your blackhole, servfail, and > refused cases it clearly says insecure, not bogus. That is very clearly against RFC4033, which says defines Insecure as: The validating resolver has a trust anchor, a chain trust, and, at some delegation point, signed proof of the non-existence of a DS record. This indicates that subsequent branches in the tree are provably insecure. A validating resolver may have a local policy to mark parts of the domain space as insecure. There is no "signed proof of the non-existence of a DS record" for blackhole, servfail, and refused, so it cannot possibly be insecure. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy