> On 15 Apr 2022, at 09:00, Mark Andrews <[email protected]> wrote: > > We had a report on bind-users that DNSSEC validation through a forwarder was > failing. > > On investigation it turns out that the failing zones had CNAME records at the > zone > apex and the DS lookup was returning the cached instance of that instead of > the signed > non-existence of the DS RRset from the parent zone. For zones that don’t > break the > prohibition against CNAME and other data this does not happen. DS is not a > record that > is supposed to co-exist with CNAME and implementing the simple workaround of > not match > DS lookups against CNAMEs is likely to have other consequences as returning > CNAME is the > correct response for non-apex names with a CNAME record. > > Bring on HTTPS support in browsers as then this CNAME at the apex idiocy can > go away. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] >
My main worry is this, correct, cache behaviour breaks DNSSEC validation through a recursive server. This really should be stopped at data entry / zone load time. Note: I am not blaming Cloudfront here. Their documentation says “don’t add a CNAME at top of zone. Mark % dig cybr.club ;; BADCOOKIE, retrying. ; <<>> DiG 9.17.22 <<>> cybr.club ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14961 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 0cb7e2a725062f97010000006260ad31adf951f9f52ef50c (good) ;; QUESTION SECTION: ;cybr.club. IN A ;; ANSWER SECTION: cybr.club. 1799 IN CNAME d2vd625ao8btyl.cloudfront.net. d2vd625ao8btyl.cloudfront.net. 60 IN A 52.85.75.35 d2vd625ao8btyl.cloudfront.net. 60 IN A 52.85.75.94 d2vd625ao8btyl.cloudfront.net. 60 IN A 52.85.75.72 d2vd625ao8btyl.cloudfront.net. 60 IN A 52.85.75.47 ;; Query time: 3195 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Apr 21 11:02:41 AEST 2022 ;; MSG SIZE rcvd: 173 % dig cybr.club ds ;; BADCOOKIE, retrying. ; <<>> DiG 9.17.22 <<>> cybr.club ds ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48656 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: bb216fe591a66b1e010000006260ad36dd87e2eb361476f9 (good) ;; QUESTION SECTION: ;cybr.club. IN DS ;; AUTHORITY SECTION: club. 52 IN SOA ns1.dns.nic.club. admin.tldns.godaddy. 1650502363 1800 300 604800 1800 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Apr 21 11:02:46 AEST 2022 ;; MSG SIZE rcvd: 137 % sleep 60 % dig cybr.club ds ;; BADCOOKIE, retrying. ; <<>> DiG 9.17.22 <<>> cybr.club ds ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: db1ab08d465d66ca010000006260ad81b94c0e06a45a6ac6 (good) ;; QUESTION SECTION: ;cybr.club. IN DS ;; ANSWER SECTION: cybr.club. 1716 IN CNAME d2vd625ao8btyl.cloudfront.net. ;; AUTHORITY SECTION: cloudfront.net. 60 IN SOA ns-418.awsdns-52.com. hostmaster.cloudfront.net. 1377556270 16384 2048 1048576 60 ;; Query time: 64 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Apr 21 11:04:01 AEST 2022 ;; MSG SIZE rcvd: 176 % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
