nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Thu, 9 Dec 2021 00:23:25 +0900
Arne Jensen wrote:


It is my understanding that the CNAME should never have been followed,


Wrong.
since there isn't any covering RRSIG for the actual CNAME, exactly as the elaborative message on dnsviz.net claims. 

That CNAME RR is authenticated means it securely points to some
other domain name, which may or may not be covered by RRSIG
signature, which is no different from domain names pointed by
signed MX RRs.

Anyway, as so called secure DNS is merely weakly secure
subject to MitM attacks on intermediate zones, there is
no reason to use it only to increase operational efforts
purposelessly.

                                                Masataka Ohta
Previous By Date Next
Previous By Thread Next

Current thread: