Hi Viktor, On Fri, 13 Mar 2020 at 12:56, Viktor Dukhovni <[email protected]> wrote: > > I am running into either a stale NTA or perhaps special-casing of > algorithm 6 (DSA-NSEC3-SHA1) when using Cloudflare to query the TLSA > records of beta.peek.ru, which have valid DSA-NSEC3-SHA1 (deprecated) > 1024-bit signatures: > > https://dnsviz.net/d/_25._tcp.beta.peek.ru/XmvZ6A/dnssec/ > > but Cloudflare DNS returns AD=0 and no RRSIGs, even with CD=1: > > _25._tcp.beta.peek.ru. IN CNAME _tlsa.peek.ru. ; NoError AD=0 > _tlsa.peek.ru. IN TLSA 3 0 1 > 925758b9aed10aa43ad72b5cd170eee4744d56cda9e3d970df2769e3085b083d ; NoError > AD=0 > _tlsa.peek.ru. IN TLSA 3 0 1 > ef3d63aa7b10d1f060d43d30b356f19a38fddb36542ab188da787524be265a24 ; NoError > AD=0 > > Can someone from Cloudflare comment on why this is happening?
the DSA-NSEC3-SHA1 has been deprecated in https://tools.ietf.org/html/rfc8624 so zones below DS with these keys are effectively treated as unsigned zones (rfc4035 5.2), but you raise a good point that the method of doing so is not consistent. > By way of contrast Google, Verisign and Quad9 all return RRSIGs and AD=1: 8.8.8.8/8.8.4.4 seems to return AD=0 but also RRSIGs when CD=1, which seems to me like the best behavior honestly. > > $ for ip in 1.0.0.1 1.1.1.1 8.8.4.4 8.8.8.8 64.6.64.6 64.6.65.6 9.9.9.10 > 149.112.112.10 > do > printf "%s " $ip > hsdig -n $ip -C -D -t tlsa _25._tcp.beta.peek.ru | > grep ' IN RRSIG TLSA ' || > echo "<unsigned>" > done > 1.0.0.1 <unsigned> > 1.1.1.1 <unsigned> > 8.8.4.4 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 > 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; > NoError AD=0 > 8.8.8.8 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 > 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; > NoError AD=0 > 64.6.64.6 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 > 20200303101252 24176 peek.ru. > AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1 > 64.6.65.6 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 > 20200303101252 24176 peek.ru. > AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1 > 9.9.9.10 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 > 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; > NoError AD=1 > 149.112.112.10 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 > 20200303101252 24176 peek.ru. > AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=0 > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
