> On 30 Apr 2020, at 07:50, Ted Lemon <mel...@fugue.com> wrote:
>
> Is there an RFC or draft that talks about what the right thing is to do when
> an unsigned CNAME points to a record in a signed zone?
>
> That is, suppose we are doing validation. The CNAME doesn’t validate, because
> it’s not signed. When we look up the record the CNAME points to, do we set
> the DO bit? Do we validate the answer? Or do we assume that because the CNAME
> isn’t signed, we don’t need to validate what it points to?
>
> I think the answer is that we validate, but I’m curious to know what others
> think of this.
Ted you need to be more precise. The CNAME validates as insecure. The output
of the validation
process is “provably secure”, “provably insecure”, “bogus”, or “indeterminate”
(e.g. because you
can’t get intermediate records in the chain and which you should treat as
bogus). Named combines
the last two as a bogus. It doesn’t try to distinguish the failure modes.
SERVFAIL will be returned
in either case.
provably insecure: proved no DS records at a delegation at or above the name,
proved that there are only
unsupported algorithms in the DS RRset at a delegation at or above the
name, not under a trust-anchor.
You always validate everything that is under a trust anchor.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
