Post by Patryk Szczygłowski
Hello,
I have domain signed with DNSSEC: patryk.one.pl <http://patryk.one.pl>
The issue is, the parent one.pl <http://one.pl> is completely void of
DNSSEC support (and it will probably never get fixed).
- . is signed
- .pl is signed, no DS for .one.pl <http://one.pl>
- .one.pl <http://one.pl> is NOT signed, no DNSKEY, no DS for
.patryk.one.pl <http://patryk.one.pl>
- .patryk.one.pl <http://patryk.one.pl> is signed
My domain is registered with dlv.isc.org <http://dlv.isc.org>, but this
not important anymore, as they announced closing down.
http://dnsviz.net/d/patryk.one.pl/dnssec/
The issue is dnsmasq is returning BOGUS instead of INSECURE. In
consequence the domain does not resolve.
https://tools.ietf.org/html/rfc4035#section-5.1
It should mark BOGUS only if top-bottom validation determies DS in
parent but missing DNSKEY in child.
Current behaviour is promoting a race condition, when the domain owner
enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
The same situation was few years ago, when TLDs were gradually enabled,
when for a while they were signed with DNSKEY without DS being set on
parent, only to be put several months later. There are still unsigned
TLDs and I think they will stop being resolved completely when this
happens again.
Google Public DNS behaviour is correct.
--
Patryk Szczygłowski
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Post by Patryk Szczygłowski
Hello,
I have domain signed with DNSSEC: patryk.one.pl <http://patryk.one.pl>
The issue is, the parent one.pl <http://one.pl> is completely void of
DNSSEC support (and it will probably never get fixed).
- . is signed
- .pl is signed, no DS for .one.pl <http://one.pl>
- .one.pl <http://one.pl> is NOT signed, no DNSKEY, no DS for
.patryk.one.pl <http://patryk.one.pl>
- .patryk.one.pl <http://patryk.one.pl> is signed
My domain is registered with dlv.isc.org <http://dlv.isc.org>, but this
not important anymore, as they announced closing down.
http://dnsviz.net/d/patryk.one.pl/dnssec/
The issue is dnsmasq is returning BOGUS instead of INSECURE. In
consequence the domain does not resolve.
https://tools.ietf.org/html/rfc4035#section-5.1
It should mark BOGUS only if top-bottom validation determies DS in
parent but missing DNSKEY in child.
Current behaviour is promoting a race condition, when the domain owner
enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
The same situation was few years ago, when TLDs were gradually enabled,
when for a while they were signed with DNSKEY without DS being set on
parent, only to be put several months later. There are still unsigned
TLDs and I think they will stop being resolved completely when this
happens again.
Google Public DNS behaviour is correct.
--
Patryk Szczygłowski
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss