Skip to content

plugin/dnssec: fix bogus RRSIGs for out-of-zone CNAME targets#8138

Merged
yongtang merged 1 commit into
coredns:masterfrom
Isolus:dnssec-cname-fix
Jun 6, 2026
Merged

plugin/dnssec: fix bogus RRSIGs for out-of-zone CNAME targets#8138
yongtang merged 1 commit into
coredns:masterfrom
Isolus:dnssec-cname-fix

Conversation

@Isolus

@Isolus Isolus commented Jun 3, 2026

Copy link
Copy Markdown
Collaborator

1. Why is this pull request needed and what does it do?

The DNSSEC signer signs every RRset in a response with the zone matched
from the query name. When a CNAME points to a target outside the served
zone(s), the target's records were signed with our key. Validators reject
these as bogus.

This PR makes the Sign() function check first whether the target is outside
the served zone(s).

2. Which issues (if any) are related?

This was already adressed in #3891 but the fix was incomplete.

3. Which documentation changes (if any) need to be made?

None.

4. Does this introduce a backward incompatible change or deprecation?

No.

plugin/dnssec: sign each RRset with the zone that owns its name, not …
1c3ae8d 
…the query zone

Signed-off-by: Björn Kinscher <code@bjoern-kinscher.de>
@Isolus Isolus requested a review from miekg as a code owner June 3, 2026 06:11
@yongtang yongtang merged commit b49fe2d into coredns:master Jun 6, 2026
13 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jun 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yongtang yongtang yongtang approved these changes

@miekg miekg Awaiting requested review from miekg miekg is a code owner

Assignees

No one assigned

Labels

plugin/dnssec

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Isolus @yongtang