To put more detail on this the DS is *only* used to verify the DNSKEY
RRset. As long as that returns trusted *every* DNSKEY in that RRset is
valid for verifying the rest of the zone. There is NO requirement to
look at the DS RRset when verifying anything other than the DNSKEY
RRset.
TA -> DNSKEY
Well if you are attacking the resolver by sending invalid RRSIGs ...
> On 15 Feb 2024, at 11:15, Matt Nordhoff via bind-users
> wrote:
>
> Hello,
>
> I'm not sure if this is a bug or a feature, but the recent CVE fixes
> prevent resolving paste.debian.net with DNSSEC validation on.
>
> It is
Hello,
I'm not sure if this is a bug or a feature, but the recent CVE fixes
prevent resolving paste.debian.net with DNSSEC validation on.
It is a CNAME:
$ dig +short paste.debian.net
apu.snow-crash.org.
p.snow-crash.org.
148.251.236.38
debian.net is fine, but snow-crash.org is misconfigured: It
3 matches
Mail list logo
