[dns-operations] isphuset.no/fsdata.se DNSSEC breakage

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Sep 5 04:19:30 UTC 2016


On Mon, Sep 05, 2016 at 01:55:19PM +1000, Mark Andrews wrote:

> It's not just TLSA.
> 
> The servers also get basic DNS wrong, let alone EDNS or DNSSEC.
> Truncated responses are not marked as truncated as required.  The
> OPT record isn't included in the truncated response as required.
> Not all EDNS queries get a EDNS response.

Is this at all similar to the situation with DNSKEY lookups for
say uspto.gov (I don't know what DNS server software is used by
the nameservers for that domain):

    http://dnsviz.net/d/uspto.gov/V8zmzA/dnssec/?rr=6&a=all&ds=all&ta=.&tk=

> Presumably all of these issues have been fixed in later releases.

I've not encountered any similar issues with folks who did upgrade
to reasonably recent versions of PowerDNS.  Admittedly my tests
are far from comprehensive.  I just look for "unbound" to not fail
to return the MX/A/AAAA/TLSA RRsets if they exists, or to return
NXDOMAIN or NODATA when they do not.  

I've not been testing any other DNS/DNSSEC edge-cases.  I don't
even make a fuss when the glue and authoritative NS or A/AAAA RRsets
don't match up.

-- 
	Viktor.



More information about the dns-operations mailing list