Issues resolving ckeditor.com using 1.1.1.1 as a bind forwarder with DNSSEC enabled


#1

I’m not sure if it’s an issue with 1.1.1.1 or their DNS setup. I can resolve it just fine with DNSSEC enabled when I don’t have a forwarder configured in bind.

I’ve been using 1.1.1.1 as a forwarder for weeks now and this is the first domain that I’ve noticed a problem with.


#2

They seem to have CNAME in the zone apex. That’s against RFCs and it causes problems especially in more complex cases like forwarding. http://dnsviz.net/d/ckeditor.com/Wt7Gtg/dnssec/ EDIT: to be clear, I do not know what exactly is causing the problem, but I’ve learned to just ignore debugging domains that clearly break standards…


#3

It’s just really strange that it resolves using dig directly asking 1.1.1.1 with the +dnssec flag, but doesn’t when it’s a bind forwarder.

I’m not seeing the same issue with other domains, whether they’re signed or not.


#4

That’s common. The ambiguity caused by apex CNAMEs cause worse trouble when forwarding than with iterating. That’s related to the forwarder returning the whole CNAME chain. Therefore the forwarding resolver can’t e.g. get DNSKEY for the zone apex, as it always gets answer for CNAME’s target instead.