Hello, I have domain signed with DNSSEC: patryk.one.pl The issue is, the parent one.pl is completely void of DNSSEC support (and it will probably never get fixed).
Therefore: - . is signed - .pl is signed, no DS for .one.pl - .one.pl is NOT signed, no DNSKEY, no DS for .patryk.one.pl - .patryk.one.pl is signed My domain is registered with dlv.isc.org, but this not important anymore, as they announced closing down. Have a look here: http://dnsviz.net/d/patryk.one.pl/dnssec/ The issue is dnsmasq is returning BOGUS instead of INSECURE. In consequence the domain does not resolve. I believe it is in contradiction with RFC: https://tools.ietf.org/html/rfc4035#section-5.1 It should mark BOGUS only if top-bottom validation determies DS in parent but missing DNSKEY in child. Current behaviour is promoting a race condition, when the domain owner enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate. The same situation was few years ago, when TLDs were gradually enabled, when for a while they were signed with DNSKEY without DS being set on parent, only to be put several months later. There are still unsigned TLDs and I think they will stop being resolved completely when this happens again. Google Public DNS behaviour is correct. -- Patryk Szczygłowski
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss