On 4/30/2020 11:15 AM, Ted Lemon wrote:
On Apr 29, 2020, at 8:01 PM, Michael StJohns <[email protected]
<mailto:[email protected]>> wrote:
If you've got an securely insecure (e.g. delegation was to an
insecure zone at some point) CNAME that points into a secure zone, I
would say your result is probably Bogus or Unsecure as you haven't
any way to evaluate trust. I don't think you can bootstrap security
this way.
I agree that you can’t bootstrap security this way. I would agree that
the answer can’t have the AD bit set. However, I don’t see why this
arrangement should be considered bogus.
Because an attacker can twiddle with a CNAME. So while the recipient
sees a CNAME pointing at a validatable end item, that may not have been
the end name the publisher provided. I'd probably say unsecure though,
as I don't expect the client can detect bogus in this case unless there
was a rule saying this was a bogus configuration.
Mike
ps - What's the validation level for a secured CNAME that points at an
unsecured CNAME that points to a secured A record?
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
