Re: [dane] DNSSEC debug advice (TLSA lookup problem).

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Fri, Sep 05, 2014 at 07:00:16AM +1000, Mark Andrews wrote:

> Just go and read how the DNS works first.  This will tell you what
> rules DNSSEC has to prove were met for each answer.

Yes, in fact between posting and reading your answer, I went off
and did some reading.  The problem as I now understand it seems to
be that:

	1.   *.clarion-hotels.cz IN CNAME 	exists.
	2.   mail2.clarion-hotels.cz		exists.
	3.   _tcp.mail2.clarion-hotels.cz	does not exist.

and finally, the nameservers for clarion-hotels.cz incorrectly
apply the wildcard CNAME to a child of an existing sibling node
(mail2).  This is detected as an error by various validating
resolvers.

Is this right?

> The RRSIG for _25._tcp.mail2.clarion-hotels.cz says it was generated
> from a wildcard record which the validator proved by retaining the
> correct number of labels to form the suffix of the wildcard record
> and adding a '*' label.  This gives the name of the record that was
> signed.  The number of labels is also part of the data that is
> hashed to form the RRSIG.

Right, so along with this there needs to be a non-existence proof
for the labels replaced with the wildcard, but there is no such
proof, because "mail2" exists.

> Now can we please stop second guessing whether DNSSEC actually
> works.  It does.

Sorry, I was just surprised by the RRSIG values being the same for
multiple qnames, but did not know about the RRSIG label count field.
So my guess was way off, but it was a guess, and I did ask for
advice from folks who actually know how this works.

So now I need to figure out what manner of broken name servers are:

    ns.forpsi.cz
    ns.forpsi.it
    ns.forpsi.net

-- 
	Viktor.