lib: DNSSEC shortcomings
Bad queries:
-
+dnssec DNSKEY 192.in-addr.arpa
needs a test -
+dnssec AAAA ns-1601.awsdns-08.co.uk
needs a test -
+dnssec A zimbra.rfc1925.org
add test with multiple DS, where 1st fails -
+dnssec A www.lidovky.cz
add test with a signed CNAME leading to unsigned target -
+dnssec PTR 134.221.135.195.in-addr.arpa.
treats NODATA answer as referral -
+dnssec A x.ent-asterisk.powerdns.space
name is after the last name in the zone, bad check (zonefile) -
+dnssec AAAA www.nyx.cz
wildcard expansion proof not checked here -
+dnssec A nic.mx
(.mx signed on the same NS, but nic.mx is not, validator fails to fetch DS)
Not compliant:
-
answers from hints have +ad
-
cached CNAME targets miss RRSIGs - wildcard expansion proof is only validated, but not inserted to the final answer -> moved to #108 (closed)
- RFC4509 not respected (DS digest downgrade) -> moved to #254 (closed)
-
DNSSEC records are not stripped from pktcache negative answers when client asks with DO=0
Missing features:
-
+cd
, no BADCACHE (tracked as #97 (closed)) -
insecure answers aren't cached properly when asked with +dnssec
(refetched) -
names below NTA answered from cache are still treated as valid (cache should be purged below)