[DNSOP] Validating responses when following unsigned CNAME chains...

Ted Lemon <mellon@fugue.com> Wed, 29 April 2020 21:50 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F2593A041A for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 14:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id du9qjuvmguwQ for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 14:50:10 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C37143A0418 for <dnsop@ietf.org>; Wed, 29 Apr 2020 14:50:10 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id 20so3693141qkl.10 for <dnsop@ietf.org>; Wed, 29 Apr 2020 14:50:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=u2am450++Sxc6szQzxfxp3AMZFS+Go20eg7rQSER4u4=; b=MM0FBHtAqslxyU+M3pIQPL5bNwi1aO/sLMsP3sA/S7CGMOUKCzImKymcc8XiaqYG6V DVMjTqIIo1VKSgR8IYUR6SRGH1mCtuRcSLFNsz4iPssxVQEH/zALGJ2U+wpvLFfKSung DmOoVaeQh3dJnyZRAbQwsNP6qIJUCvPQ+vUvdgcT9zsOqpt7IR9OapQzy0iLbo7SkIZT jqaZGn1wE5g7sHkOCS569BC5P4FGD+rudcayraL44HEkAawAR8XM/nMi2TW/6vXIEmHJ 9zzvDPk6dEjqpO9bNiQMq9VEt7m6b4WjQji6M2b6QZDjHkxG7+xGvLY4Jtmp19WmoIax 46gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=u2am450++Sxc6szQzxfxp3AMZFS+Go20eg7rQSER4u4=; b=EHn8xUSSBe16r+WR7qYq0yH1buN9vnek7VkvQubEdGDzpyeQRsdh3r2boS4XNdTfAs fjAoI/rK7INywp5kVp9uB0lIZrlS1gqqxLhhlgDfKiatIgzWsvp+h0OFRZ1ik/Yto7yD 11vTTAwiThSrmEt8iJtDVjSo6hymUYKCfUtfdQ7zUytN4ErhIOlJSS/DPPK1z+JOBhFn Jd8cVtub+yDDyqYeDHsKNX8qelGc6Ey732n74ApJAOa6p97sL87Fb7VytFPIpNCpudOH cFdTQop/3OH9Jyz1h4Sr/WgtSQuZm25LnSqUBEYd5dG2F79h8e+vw5JGlJ7gGO9Nw3HY CUow==
X-Gm-Message-State: AGi0PuY1CJMGS2uwKCL6vggKAWO+BCL9QwjMftpCkpZIFRtUxkaNViVR HBpqhEdZmyU4qccy1e2qlUTlJWwrG9E=
X-Google-Smtp-Source: APiQypIIwEhhX7KREPi368eOeF/+9phs7X4BfgUL0feEq1C936znXy6yYUwLopqigvL5oVEwFfyvnA==
X-Received: by 2002:a37:68cd:: with SMTP id d196mr598419qkc.188.1588197008839; Wed, 29 Apr 2020 14:50:08 -0700 (PDT)
Received: from ?IPv6:2601:18b:300:36ee:e518:6559:325d:1a5f? ([2601:18b:300:36ee:e518:6559:325d:1a5f]) by smtp.gmail.com with ESMTPSA id p24sm438314qtp.59.2020.04.29.14.50.08 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Apr 2020 14:50:08 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3636.0.1\))
Message-Id: <1EA6A13C-6E60-4ED9-9A50-E33D9D17504C@fugue.com>
Date: Wed, 29 Apr 2020 17:50:06 -0400
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3636.0.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/V2-Hroa6cYw5BurO_yI3NbUjUDg>
Subject: [DNSOP] Validating responses when following unsigned CNAME chains...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 21:50:12 -0000

Is there an RFC or draft that talks about what the right thing is to do when an unsigned CNAME points to a record in a signed zone?

That is, suppose we are doing validation. The CNAME doesn’t validate, because it’s not signed. When we look up the record the CNAME points to, do we set the DO bit? Do we validate the answer? Or do we assume that because the CNAME isn’t signed, we don’t need to validate what it points to?

I think the answer is that we validate, but I’m curious to know what others think of this.