Skip to content

lib: DNSSEC shortcomings

Bad queries:

  • +dnssec DNSKEY 192.in-addr.arpa needs a test
  • +dnssec AAAA ns-1601.awsdns-08.co.uk needs a test
  • +dnssec A zimbra.rfc1925.org add test with multiple DS, where 1st fails
  • +dnssec A www.lidovky.cz add test with a signed CNAME leading to unsigned target
  • +dnssec PTR 134.221.135.195.in-addr.arpa. treats NODATA answer as referral
  • +dnssec A x.ent-asterisk.powerdns.space name is after the last name in the zone, bad check (zonefile)
  • +dnssec AAAA www.nyx.cz wildcard expansion proof not checked here
  • +dnssec A nic.mx (.mx signed on the same NS, but nic.mx is not, validator fails to fetch DS)

Not compliant:

  • answers from hints have +ad
  • cached CNAME targets miss RRSIGs
  • wildcard expansion proof is only validated, but not inserted to the final answer -> moved to #108 (closed)
  • RFC4509 not respected (DS digest downgrade) -> moved to #254 (closed)
  • DNSSEC records are not stripped from pktcache negative answers when client asks with DO=0

Missing features:

  • +cd, no BADCACHE (tracked as #97 (closed))
  • insecure answers aren't cached properly when asked with +dnssec (refetched)
  • names below NTA answered from cache are still treated as valid (cache should be purged below)
Edited by Petr Špaček
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information