On Sat, Feb 03, 2018 at 12:20:34PM +0100, Stefan Bühler wrote: > This advise suggests that if the auth server has access to the zone's > private key and can sign responses on the fly, ANAME works with signed > zones. > > But it doesn't! Because ANAME-aware recursive resolvers will replace > the signed records with unsigned ones.
No, an ANAME-aware resolver would ignore those records, re-query for the ANAME target, and validate the response from there - same as it does now with a CNAME. As long as the ANAME is validly signed, it's just a chain query. > I'd also suggest to relax the "MUST re-query" requirement if the > resolver used ECS - because it means the auth server had a good chance > to respect the network topology (this is unrelated to signed zones). It's the same requirement as for CNAME. Putting full trust in a chain returned by an auth server risks cache poisoning. (Not even necessarily malicious; the auth might simply be serving information that's outdated.) -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
