This is a real problem, and I plan to look at it (and all the other stuff I've been ignoring.....) ASAP. I'm moving house just now, so very short of time. If I don't produce something by the end of next week, please prod me again.
Cheers, Simon. On 27/03/17 16:37, Patryk Szczygłowski wrote: > Hello, > > I have domain signed with DNSSEC: patryk.one.pl <http://patryk.one.pl> > The issue is, the parent one.pl <http://one.pl> is completely void of > DNSSEC support (and it will probably never get fixed). > > Therefore: > - . is signed > - .pl is signed, no DS for .one.pl <http://one.pl> > - .one.pl <http://one.pl> is NOT signed, no DNSKEY, no DS for > .patryk.one.pl <http://patryk.one.pl> > - .patryk.one.pl <http://patryk.one.pl> is signed > > My domain is registered with dlv.isc.org <http://dlv.isc.org>, but this > not important anymore, as they announced closing down. > > Have a look here: > http://dnsviz.net/d/patryk.one.pl/dnssec/ > > The issue is dnsmasq is returning BOGUS instead of INSECURE. In > consequence the domain does not resolve. > I believe it is in contradiction with RFC: > https://tools.ietf.org/html/rfc4035#section-5.1 > > It should mark BOGUS only if top-bottom validation determies DS in > parent but missing DNSKEY in child. > > Current behaviour is promoting a race condition, when the domain owner > enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate. > > The same situation was few years ago, when TLDs were gradually enabled, > when for a while they were signed with DNSKEY without DS being set on > parent, only to be put several months later. There are still unsigned > TLDs and I think they will stop being resolved completely when this > happens again. > > Google Public DNS behaviour is correct. > > -- > Patryk Szczygłowski > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasqfirstname.lastname@example.org > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss