8 Dec
2021
8 Dec
'21
10:23 a.m.
Arne Jensen wrote:
It is my understanding that the CNAME should never have been followed,
Wrong.
since there isn't any covering RRSIG for the actual CNAME, exactly as the elaborative message on dnsviz.net claims.
That CNAME RR is authenticated means it securely points to some other domain name, which may or may not be covered by RRSIG signature, which is no different from domain names pointed by signed MX RRs. Anyway, as so called secure DNS is merely weakly secure subject to MitM attacks on intermediate zones, there is no reason to use it only to increase operational efforts purposelessly. Masataka Ohta