undefined | Better HN

0 pointstptacek4y ago0 comments

GOOGLE.COM is also not DNSSEC-signed. Seriously, almost nothing is.

0 comments

Right, but my point is "not DNSSEC-signed" does not seem to be the same as "free of configuration errors that prevent resolution of the name with DNSSEC enabled".

tptacekOP4y ago

Which configuration errors would those be? Without a DS record, there's no DNSSEC happening at the resolver, is there?

joveian4y ago

I tried looking again and found that it is systemd-resolved's error at least in the developer.apple.com case (the Verisign one is a bit different but potentially might also be a systemd-resolved issue). It seems the issue is that the servers for g.applimg.com are completely DNSSEC-unaware and querying the DS record somehow doesn't work the way DNSSEC wants it to even in the "no DNSSEC" case, however the parent zone correctly indicates that there is no DNSSEC so it should be accepted.

https://github.com/systemd/systemd/issues/9867#issuecomment-...

It sounds like systemd-resolved has had a bunch of issues like that where it fails (or previously failed) on things that would be an issue if DNSSEC was enabled but shouldn't due to DNSSEC not being used. I'll stop blaming DNSSEC.

j / k navigate · click thread line to collapse

0 comments

joveian4y ago

Right, but my point is "not DNSSEC-signed" does not seem to be the same as "free of configuration errors that prevent resolution of the name with DNSSEC enabled".

tptacekOP4y ago

Which configuration errors would those be? Without a DS record, there's no DNSSEC happening at the resolver, is there?

joveian4y ago

https://github.com/systemd/systemd/issues/9867#issuecomment-...

j / k navigate · click thread line to collapse