On Mar 31, 2020, at 3:37 PM, Mark Andrews <[email protected]> wrote: > > > >> On 31 Mar 2020, at 23:03, Vladimír Čunát <[email protected]> wrote: >> >> On 3/31/20 6:47 AM, Brian Somers wrote: >>> One useful thing I could say (If you haven’t hit delete yet) is that I >>> *HAVE* seen RRSIGs with compressed signers in the wild, so never assume >>> that, just because RFCs say MUST NOT, you’ll never see these horrible >>> things. >> >> Sure, validators MUST NOT crash on those, etc... but does that mean they >> SHOULD accept such signatures? I don't think so. (unless there's some >> additional motivation) > > Well BIND has rejected them in RRSIGs from the get go. They are also rejected > is SIG records. So while Brian may have seen them, I would presume that what > ever was generating them has been fixed.
It doesn’t look like it….
The offending query was: dig +dnssec ecfr.gov @ns2.gpo.gov
We see this in the attached cap data:
….
0x0060: 0001 0702 0000 7080 5e93 a858 5e81 2fc6 ......p.^..X^./.
| | | | | |
covered A | | | | |
algorithm 7 | | | |
labels 2 | | |
original-ttl 28800 | |
expiry 20200413122948 |
inception 20200330122237
0x0070: 004a c00c 7d79 e703 b882 9153 b648 0bd0 .J..}y.....S.H..
| |
keytag 74 |
signer <ref>
….
—
Brian
ecfr.gov.pcap
Description: Binary data
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
