Dne 5.9.2014 10:34, Martin Straka napsal(a): > The first and second screen say that domain name and its IP address are > secured by DNSSSEC (green square icon) and TLSA record for this domain > is not secured by DNSSEC (grey round icon).
This is somehow interesting case, as the TLSA records are usually in the same zone as the name itself. The fact that there is DNSSEC for name and not for TLSA record could mean: a) that the TLSA record is CNAMEd to an insecure zone (why would somebody do that?) b) that the TLSA record actually does not exist and there is something strange when validating particular NXDOMAIN responses It turns out that b) is the case here, privasphere.com uses NSEC3 with opt-out flag turned on and in that case, the resolver MUST NOT return AD flag for nonexistent name, because the name can be actually covered by an insecure delegation. Details in [RFC5155]. That's why TLSA validator sees response as insecure, instead of showing "No TLSA record" as it does for other domains. Cheers, Ondřej Caletka [RFC5155]: http://tools.ietf.org/html/rfc5155#section-9.2 _______________________________________________ dnssec-validator-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
