CNAME breaks DS queries if CNAME is at apex (non-compliant auth side)
kresd replies incorrectly for name.example. DS
queries if name.example.
has CNAME at apex name.example.
.
This seems to affect only non-compliant servers which allow CNAME at apex. Such zones are illegal according to https://tools.ietf.org/html/rfc1034#section-3.6.2.
This bug is present in 2.3.0 and breaks validating forwarders which point to kresd. Related: #153 (closed)
Affected domain: ucarecdn.com
DNSViz: http://dnsviz.net/d/ucarecdn.com/WvYPzQ/dnssec/
DNSViz mirror dnsviz-ucarecdn.pdf
Second affected domain (with wildcard): coder.show
DNSViz: http://dnsviz.net/d/coder.show/WwVyFQ/dnssec/
DNSViz mirror dnsviz-coder-show.pdf
Steps to reproduce:
- dig +dnssec coder.show A
- dig +dnssec coder.show DS