[dns-operations] Lack of tlsa support
Joe Abley
jabley at hopcount.ca
Wed May 27 17:32:06 UTC 2015
On 27 May 2015, at 16:16, Mark Andrews wrote:
> Do we really have to fight to get every new type supported?
>
> Mark
>
> marka at ednscomp ~/tld-report]$ awk '$4 == "NS" {print $1, $5}' root.db
> | sh gentypereport tlsa | grep -v "all ok"
> accountant. @156.154.144.195 (ns1.dns.nic.accountant.): tlsa=timeout
> accountant. @156.154.145.195 (ns2.dns.nic.accountant.): tlsa=timeout
> accountant. @156.154.159.195 (ns3.dns.nic.accountant.): tlsa=timeout
> accountant. @156.154.156.195 (ns4.dns.nic.accountant.): tlsa=timeout
> accountant. @156.154.157.195 (ns5.dns.nic.accountant.): tlsa=timeout
> accountant. @156.154.158.195 (ns6.dns.nic.accountant.): tlsa=timeout
It's hard to know what you're testing (what gentypereport does), but if
you're looking for TLSA records in the ACCOUNTANT zone above, I'm not
sure why; new gTLD operators are constrained by contract as to the
RRTypes they're allowed to publish, and TLSA isn't one of them. It's not
obvious that this is a problem for anybody, though; it's not like you'd
expect to see a TLSA RRSet in there.
What is the point you're making?
For what it's worth, I have no problem getting a reasonable (negative)
response to ACCOUNTANT/IN/TLSA or SOMETHING.ACCOUNTANT/IN/TLSA from
156.154.144.195 with EDNS0.DO=1 or without EDNS0. Perhaps I'm special
:-)
Joe
More information about the dns-operations
mailing list