In message <[email protected]>, Viktor Dukhovni writ es: > On Fri, Sep 05, 2014 at 07:00:16AM +1000, Mark Andrews wrote: > > > Just go and read how the DNS works first. This will tell you what > > rules DNSSEC has to prove were met for each answer. > > Yes, in fact between posting and reading your answer, I went off > and did some reading. The problem as I now understand it seems to > be that: > > 1. *.clarion-hotels.cz IN CNAME exists. > 2. mail2.clarion-hotels.cz exists. > 3. _tcp.mail2.clarion-hotels.cz does not exist. > > and finally, the nameservers for clarion-hotels.cz incorrectly > apply the wildcard CNAME to a child of an existing sibling node > (mail2). This is detected as an error by various validating > resolvers. > > Is this right?
Yes. > > The RRSIG for _25._tcp.mail2.clarion-hotels.cz says it was generated > > from a wildcard record which the validator proved by retaining the > > correct number of labels to form the suffix of the wildcard record > > and adding a '*' label. This gives the name of the record that was > > signed. The number of labels is also part of the data that is > > hashed to form the RRSIG. > > Right, so along with this there needs to be a non-existence proof > for the labels replaced with the wildcard, but there is no such > proof, because "mail2" exists. > > > Now can we please stop second guessing whether DNSSEC actually > > works. It does. > > Sorry, I was just surprised by the RRSIG values being the same for > multiple qnames, but did not know about the RRSIG label count field. > So my guess was way off, but it was a guess, and I did ask for > advice from folks who actually know how this works. Ok. Sorry if I came on a bit strong. > So now I need to figure out what manner of broken name servers are: > > ns.forpsi.cz > ns.forpsi.it > ns.forpsi.net > > -- > Viktor. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
