Arne Jensen wrote:
It is my understanding that the CNAME should never have been followed,
Wrong.
Hmm, okay.
-> https://www.rfc-editor.org/rfc/rfc4034.txt
Section 3, "The RRSIG Resource Record", at the third phrase:
Can you tell me what exactly this means?Because every authoritative RRset in a zone must be protected by a digital signature, RRSIG RRs must be present for names containing a CNAME RR. This is a change to the traditional DNS specification [RFC1034], which stated that if a CNAME is present for a name, it is the only type allowed at that name. A RRSIG and NSEC (see Section 4) MUST exist for the same name as a CNAME resource record in a signed zone.
I fail to see that RRSIG in the following output:
$ dig +dnssec AAAA european-union.europa.eu @1.1.1.1
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> +dnssec AAAA european-union.europa.eu @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16457
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; OPT=15: 00 00 72 65 73 65 72 76 65 64 20 44 53 20 61 6c 67 6f 72 69 74 68 6d ("..reserved DS algorithm")
;; QUESTION SECTION:
;european-union.europa.eu. IN AAAA
;; ANSWER SECTION:
european-union.europa.eu. 1800 IN CNAME d1d395kgk3q1uk.cloudfront.net.
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:ea00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:8200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:4c00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:1c00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:e600:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:3a00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:f600:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:2000:13:6ecf:b700:93a1
;; Query time: 68 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Dec 08 14:53:06 CET 2021
;; MSG SIZE rcvd: 347
$
So maybe you would care to elaborate why I am wrong, and why Google and Quad9 is wrong too, while CloudFlare is actually doing the "right" thing here?
I would still, with the above output, say that CloudFlare
shouldn't have followed the CNAME at that time.
since there isn't any covering RRSIG for the actual CNAME, exactly as the elaborative message on dnsviz.net claims.
That CNAME RR is authenticated means it securely points to some
other domain name, which may or may not be covered by RRSIG
signature, which is no different from domain names pointed by
signed MX RRs.
Both the CNAME RR (european-union.europa.eu) and MX RR's (your mention) must have a valid RRSIG when they are within a DNSSEC signed zone, but the CNAME RR didn't, as you can see above.
With the timestamp above showing 14:53 CET, and my message appearing here at 15:22 CET, the DNSSEC issue was actually fixed within that time, so if you're first checking around your own message at 16:23, an hour after it had already been resolved, then you will of course see no issues, at all, which I am not either.
Seems like it was fixed ~4 minutes after my output above:
$ dig +dnssec AAAA european-union.europa.eu @1.1.1.1
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> +dnssec AAAA european-union.europa.eu @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19554
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;european-union.europa.eu. IN AAAA
;; ANSWER SECTION:
european-union.europa.eu. 1800 IN CNAME d1d395kgk3q1uk.cloudfront.net.
european-union.europa.eu. 1800 IN RRSIG CNAME 8 3 1800 20220107135603 20211208125711 6276 europa.eu. Gu/Zmxulc0RhNnCE55ATi/yCIUxP4NK9/msFIqPJuBhGrZiGT9+KomfL XcgBGXlzNt24uE9cQo59/r6liN0BV4IA8k4DCwRKDp2dDJUSLYK6AvMa Og+VVAKZvvHJZI6C41vBnD/PJahf9660CvXazzBX5a/W8FGhhVXsUUKx 6780SgvqiXPn0RRNdJ2ZUFzGfY6/kTXsfAkT0TN7ZgGHq6whp/TVoZYb vihl1NoiY4Ou/LFCtAmCJGWaT/h49kTCwIcq/5IgaBLn/CvcSz6YNXi0 RAV4jx+IVlTMzxIgBUsnOrOIoVH3j6LhtUrymfspWESoWBD7mFOjreyh wG+icw==
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:d400:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:c800:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:9200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:d200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:c200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:be00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:b800:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA 2600:9000:2021:600:13:6ecf:b700:93a1
;; Query time: 48 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Dec 09 09:34:59 CET 2021
;; MSG SIZE rcvd: 617
$
And now, CloudFlare should indeed follow the CNAME, as the RRSIG for european-union.europa.eu is there.
-- Med venlig hilsen / Kind regards, Arne Jensen