On Apr 30, 2020, at 2:31 PM, Michael StJohns <[email protected]> wrote: > Because an attacker can twiddle with a CNAME. So while the recipient sees a > CNAME pointing at a validatable end item, that may not have been the end name > the publisher provided. I'd probably say unsecure though, as I don't expect > the client can detect bogus in this case unless there was a rule saying this > was a bogus configuration. > > Mike > > ps - What's the validation level for a secured CNAME that points at an > unsecured CNAME that points to a secured A record? > I think that what we’re really talking about is that we have some chain of items where some items are provably not signed, and some are provably signed and have been validated. Any items that do not match one of these two criteria can be treated as “unknown.” So:
* If _all_ the items are provably signed and have been validated, the answer sets the AD bit. * If _some_ of the items have been validated, and others are provably not signed, then the answer doesn’t set the AD bit, but an answer is sent. * If we have a partial answer because we didn’t get some answers, is that any different than the case where we got bogus answers?
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
