[dns-operations] Looking for wildcard record served by a stable signed TLD nameserver

Paul Wouters paul at nohats.ca
Fri May 9 15:48:14 UTC 2014


fedorahosted.org and fedorapeople.org use wildcards which fail often
when people are chained to an older bind version with the "NOQNAME
NSEC/NSEC3 proof extraction bug".

(See https://bugzilla.redhat.com/show_bug.cgi?id=824219)

For tools (like dnssec trigger) to detect this, we need a "stable"
location of such a wildcard to add a probe test. Ideally within a TLD
as dnssec-trigger prefers to use TLDs for stability - it would be bad
if a test gave a false positive and reconfigures everyone's forwarding
resolver differently.

As this issue comes up with a new duplicate bug entry every few months,
I'm looking at a friendly (DNSSEC signed) TLD who has or is willing to
put in a wildcard at some very stable location so we can add this test
to dnssec-trigger.


More information about the dns-operations mailing list