internetstandards
Possible issue with CNAME on DNSSEC test
Hi !
Recently I faced the following situation on top.nic.br and Internet.nl:
But checking the DNSSEC servers , all of them are signed:
https://dnssec-analyzer.verisignlabs.com/www.iana.org
https://dnsviz.net/d/www.iana.org/dnssec/
This problems happens only with CNAME record (www) with the A record no issues are verified.
Any suggestions ? Is related to the issue #188 ?
Best Regards Flavio
The DNSSEC test does a SOA check on the domain, in this case www.iana.org to check it's delegated, this sometimes results in an invalid signature of NSEC or some other weird DNS behavior that results in this correct detection of a DNSSEC failure, which is not perfectly explained.
~I'm not sure what I see here: https://dnsviz.net/d/www.iana.org/dnssec/?rr=6&a=all&ds=all&ta=.&tk=~ Update: probably a dnsvis :bug:
Thanks to @mdavids:
$ unbound-host -d -v -f /usr/share/dns/root.key -t SOA www.iana.org
...
www.iana.org is an alias for ianawww.vip.icann.org. (insecure)
ianawww.vip.icann.org has no SOA record (insecure)
Have to delve deeper, but weird things are happening here:
dig +dnssec @9.9.9.9 -t SOA ianawww.vip.icann.org has no AD-bit
dig +dnssec @8.8.8.8 -t SOA ianawww.vip.icann.org has.
Unbound indeed has no AD-bit too. Neither has BIND9.
From a quick look at the domain and Unbound's code. The NSEC3 record we get back is:
<hash>.vip.icann.org. 60 IN NSEC3 1 0 1 <salt> <next-hash> A NS MX TXT AAAA RRSIG DNSKEY NSEC3PARAM
The owner of the record after hash computation is ianawww.vip.icann.org. The actual hash and salt values are not important because they are autogenerated on the fly (online signing).
The NSEC3 record has an NS bit but no SOA bit. This means a delegation. Because there is no DS, this means an insecure delegation. Thus the final insecure status. If DS was there that would have been bogus.
I believe this is because there is no SOA record at ianawww.vip.icann.org as it should from what I see at least.
