I have domain signed with DNSSEC: patryk.one.pl
The issue is, the parent one.pl is completely void of DNSSEC support (and
it will probably never get fixed).
- . is signed
- .pl is signed, no DS for .one.pl
- .one.pl is NOT signed, no DNSKEY, no DS for .patryk.one.pl
- .patryk.one.pl is signed
My domain is registered with dlv.isc.org, but this not important anymore,
as they announced closing down.
Have a look here:
The issue is dnsmasq is returning BOGUS instead of INSECURE. In consequence
the domain does not resolve.
I believe it is in contradiction with RFC:
It should mark BOGUS only if top-bottom validation determies DS in parent
but missing DNSKEY in child.
Current behaviour is promoting a race condition, when the domain owner
enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
The same situation was few years ago, when TLDs were gradually enabled,
when for a while they were signed with DNSKEY without DS being set on
parent, only to be put several months later. There are still unsigned TLDs
and I think they will stop being resolved completely when this happens
Google Public DNS behaviour is correct.
Dnsmasq-discuss mailing list