[dns-operations] Cloudflare public DNS, resolved(!) incomplete NSEC responses
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Oct 30 05:49:47 UTC 2020
On Wed, Oct 28, 2020 at 10:27:23PM -0400, Viktor Dukhovni wrote:
> The TLSA query below elicits an incomplete NSEC response, with just one
> of the two required records present. The return NSEC record covers the
> qname but not the wildcard:
>
> _25._tcp.fotobehang24.nl. IN TLSA ? ; NXDomain AD=1
> fotobehang24.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020070913 ...
> fotobehang24.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
> _domainkey.fotobehang24.nl. IN NSEC ftp.fotobehang24.nl. TXT RRSIG NSEC
> _domainkey.fotobehang24.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
>
> Similar results for a few more domains below my signature, which are but
> a fraction of the full set.
The lighting-speed resolution is impressive and much appreciated!
This is working now. Thank you CloudFlare.
--
Viktor.
[ This compares very favourably with some of my reported DoE issues with
a few DNS providers, some of which are over a year old! ]
More information about the dns-operations
mailing list