On Fri, Mar 13, 2020 at 01:52:04PM -0700, Marek Vavruša wrote: > On Fri, 13 Mar 2020 at 12:56, Viktor Dukhovni <[email protected]> wrote: > > > > I am running into either a stale NTA or perhaps special-casing of > > algorithm 6 (DSA-NSEC3-SHA1) when using Cloudflare to query the TLSA > > records of beta.peek.ru, which have valid DSA-NSEC3-SHA1 (deprecated) > > 1024-bit signatures: > > > > https://dnsviz.net/d/_25._tcp.beta.peek.ru/XmvZ6A/dnssec/ > > The DSA-NSEC3-SHA1 has been deprecated in > https://tools.ietf.org/html/rfc8624 so zones below DS with these keys > are effectively treated as unsigned zones (rfc4035 5.2), but you raise > a good point that the method of doing so is not consistent.
Treating them as unsigned is fine for setting the AD bit, but not returning the RRSIG when a downstream iterative resolver sets DO=1 (even with CD=1) means that downstream resolvers that still validate DSA now consider the domain "bogus", not just unsigned. The new RFC8624 (https://tools.ietf.org/html/rfc8624#section-3.1) status of DSA-NSEC3-SHA1 (6) as "MUST NOT" for both signing and validation is less than one year old, and there are still fielded resolvers that have not been updated to ignore it, including "unbound" 1.9.6, which was, prior to Feb 20th, the latest release. [ My DANE survey is presently running on a Fedora 31 system with unbound 1.9.6. ] Therefore, it is I think somewhat premature to drop DSA RRSIGs in response to DO=1 queries. In the short term (next couple of years) RRSIG and NSEC records should probably be forwarded to downstream resolvers that set DO=1. -- Viktor. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
