On Sat, Oct 09, 2021 at 07:18:58AM +1100, Mark Andrews wrote:
> Yes it will be unfiltered but the point of DNSSEC is to filter out bad
> answers (that is what the ignore bogus responses achieves) and if you
> are behind a recursive server you need it to do the filtering of the
> answers it gets as you aren’t in a position to wait for the good
> answer as they won’t come to you nor are you in the position to ask
> the authoritatives directly. It can wait for good answers by just
> rejecting the spoofed answers and continuing to listen for the real
> answer.
IIRC the forwarder may have a (logically) separate cache with bogus
answers, which it would normally censor by returning SERVFAIL, but will
disgorge when the "CD" bit is set. Or absent such a cache, it may ask
again, and upon receiving fresh answers that fail validation,
nevertheless forward these on.
Either way, when the stub resolver has trust anchors not known to the
forwarder, that render the response valid, the "CD" bit could help mask
the difference.
For example, though the domain cirroscope.com has no DNSKEYs matching
its DS RRs:
https://dnsviz.net/d/cirroscope.com/YWXRbg/dnssec/
setting the CD bit will make its DNSKEY RRset visible even via a
validating forwarder, and if the stub happens to have a trust-anchor
set for either the algorithm 8 or algorithm 5 KSK, then the stub
may well be able to validate the zone, the signatures are all valid,
we just don't have a SEP from .com to cirroscope.com:
cirroscope.com. 20468 IN DNSKEY 257 3 5 (
AwEAAarIbZcs5FXsMySPAeIo51z7EB7CX61KTRFSqCpo
ciNlU7OJsX2BSz1UeBIqJnuIn+GNAsf1yTE3i5cKujzg
SUWOQF8PKjTQ24nYguWXYaSykzGFK8Bp/6Bm+TGVYMmh
8Ab8j3hwRZuaBb3JuPQJvEaWnJgdYgxfYoxaOci8hG5U
lYJH8GiFhnQLZISmemIk/S5qizYyPAG+dbnTpZvmGsB+
0uCrlVMsFcN2YQVCezeOTKmMmjYrW+rzVhv9NFeRHD9+
c6D1a7aZO6qj3H7MkhOQCU44x9c446pCUN8w9Gamlrij
Xlt7PH8OzgBdBB6d+ZaIVCZpAl16GmZHX/M1t50=
) ; KSK; alg = RSASHA1 ; key id = 44602
cirroscope.com. 20468 IN DNSKEY 257 3 8 (
AwEAAaLcgz5gnyxbosRvZnyyCFVk5crNSOfOWvbHrVLX
+pMaQYoWhPJzk6Vj2TCOUhZaCZKikQ19lk95o3TMI9xH
CV8AH7KJwC6U2Lg4gcUtbRXN6zc322eJ99xqUElMAO+2
0TQETz0Qngxla9gK/Oxpp+VsUSl83uWgmOcEqU/jLRON
c4HyfoH5lx7b9QKGYxoZvzYu7IFT1ET6/81nIsK48w38
mnnFjRCyJEqy7Wtq27rwx47BHCVr0LDe61dTB9HUY94v
5NSpGgN+W2s9cazTjPCupkNg4U9GUHGxDeT2lM0+O9zH
6oY0WvnXonbZQFp+6mxkVZt3i1TZ2yjVnEDgYus=
) ; KSK; alg = RSASHA256 ; key id = 37636
cirroscope.com. 20468 IN DNSKEY 256 3 5 (
AwEAAbNDmSwB7ns19bqqXtttgrgexDCuJngapNpV8Akk
M3+YCR9saIvC4RXEteDLV10RlidNnym8Vg2dZWisutc9
61VNkQXEKdo4eTfJJRP3/ifCyVAyLfZm6/Thh0grLFHj
TjjKQprUk5exWfQtHPLqRCZ/40aE7Ev1Gz8hBgb10oxf
) ; ZSK; alg = RSASHA1 ; key id = 33267
cirroscope.com. 20468 IN DNSKEY 256 3 8 (
AwEAAeMfFqRTMJB2qiJj+A2Th570cOOe5nT9K2gd/rmA
vbib9jV4P1V5DmdHEZfrgtgoAFCzqWu8kU4uFUZfVXFQ
tel/IVpYWzzH+3rofiQHMwRHEgjv9vWKEMlEdg/SxyDS
WTH6qZIIvfgKEZ32y+jCD11vpZPpuj6ItuRm+EU++OP9
55ZBUBKbfTJtPtQh67c5aMJOHx6eBuhZYeBhgByQ+RVJ
yJgkhjgghluVYiXqDNv2ZCPNnhVu8KZ8Im+xs1AnLlwb
zHafuuidQJRQrAa53sSNvBb1uliP35qDn6wicHLbtjXY
roMFCsCVXmsx/Gg1qv5oZLPAgyfIse1slLqATNk=
) ; ZSK; alg = RSASHA256 ; key id = 3093
cirroscope.com. 20468 IN RRSIG DNSKEY 5 2 86400 (
20211108205913 20211009205913 33267
cirroscope.com.
N4rtGV5iyM0HRxvK34j2FKtb7WiqQvHMRGuo4OjB07/s
06BEMix6OCyDwcVpei7kp8rKXZ4DAHqT1DxDdk8d8K3E
v1b3GehN7blLNDf52uUnoXjgIs3MEWmAE/69xmIwUExa
/CRP7QQVj96Kp7g4iR35xqAbmfjCcQrrk7Vll6U= )
cirroscope.com. 20468 IN RRSIG DNSKEY 5 2 86400 (
20211108205913 20211009205913 44602
cirroscope.com.
Yps3RHKwb3Q1z/dQTkWB9S5M8+dwXgEad9yyiJiGo8pm
fkcgiMnZJ2N5bSNG2Uffp1p4r4oWXcPfrTCOsydu/c2/
qjtMvQAQ8PeA/cgDuRR6cXUOIvAZlaOg1jTXYrb4OCeS
Z8XqkTLrd6ODBtYkurV4L69YiO78wVnFwpbL9HCOFHTz
L3Td9SdTYs+cNosCQvGQkMdXIS9Fl6CLCwshzFv+soON
mZXimNSAiZ97u8lze4tT5nbS8A4fGLpdvdmUqxnGHIez
0oK6pfof4ktvqVr0Jwa2PahATjfcsX1lFCnnMRQtLN/A
CaF6x3CjQ8umWPvfvrFfIV6t8rXEv5wZkw== )
cirroscope.com. 20468 IN RRSIG DNSKEY 8 2 86400 (
20211108205913 20211009205913 3093
cirroscope.com.
EMTLRz8Nvn4o1e8P86z/tkCBqz3LECqU5jZyuJrd1Zlq
77KTBmRgmEsbuc3Nerh/BHR3/e+U9zKSQz+HZsh2lGmb
ORn9etG55HTtkTBG7TQ2QPhn85KNc05M6aNevaH5H+4x
QquXE4ofI7kcXcO09mKHhLvvjlB2sbEQDnnp3ALRPqq4
QnagvOpu8JkoXv/q4eGEFvSQm8nzV6P04TPmr36Avpwt
Sz0aaVp9U3sRqwjbg6QoY6VYBWeDwUcYPG6lwCFixgUY
doV3EWOvSStuRno+kZgdJ10T7FTH5Bs1mG//FMg40Z9K
nta8f6xd6qr7H4ec41I85eyc3oRIXl6PGA== )
cirroscope.com. 20468 IN RRSIG DNSKEY 8 2 86400 (
20211108205913 20211009205913 37636
cirroscope.com.
Zk1+9iWged2qsx1dkCp4goZ0Jt1wmr1vRQCQVmM8H5Fq
cxhVoDcYUcRFk6YWr/KOKInqmKQVC+JcOXX6k46lNDZP
1uu87j9Yhg9Z7w2d25asbOXhG9vELyGUYdFobEb6mpnt
sJF7CoJ84b6ijwRFaNf3BbrpbnPEOLWF2QepjhRieKGi
NggMaoSTLTfmmedHV/kD1BcWNZi5MGFNkiHvkXyrbSV1
d4qZYlFRYCWyBwtV6dLMwe7qg8zGtmFTg+Q9nN23uC90
x6j9ViJHbTsnTQwnq7P0XRPAK95LR6Y9uEADA4jZlGNG
TJ/0GvCPOwpH/iZzc4TP3Xjl9BuH+iWRWA== )
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
