On 4/29/2020 5:50 PM, Ted Lemon wrote:
Is there an RFC or draft that talks about what the right thing is to do when an
unsigned CNAME points to a record in a signed zone?
That is, suppose we are doing validation. The CNAME doesn’t validate, because
it’s not signed. When we look up the record the CNAME points to, do we set the
DO bit? Do we validate the answer? Or do we assume that because the CNAME isn’t
signed, we don’t need to validate what it points to?
I think the answer is that we validate, but I’m curious to know what others
think of this.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
See this chain
https://mailarchive.ietf.org/arch/msg/dnsext/_kxMmGeBUI8OW03tWlcgcCW9QlU/
(Yup - 12 years ago).
I don't think I ever managed to convince anyone this was a problem.
If you've got a validated CNAME, that points into an unsecured zone,
then your state is probably Unsecure (if you treat it similar to a
secure delegation to an unsigned zone) or Unknown.
If you've got an securely insecure (e.g. delegation was to an insecure
zone at some point) CNAME that points into a secure zone, I would say
your result is probably Bogus or Unsecure as you haven't any way to
evaluate trust. I don't think you can bootstrap security this way.
Mike
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
