[dns-operations] Hall of DNS Shame (?)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jan 24 20:00:21 UTC 2017

On Tue, Jan 24, 2017 at 11:40:53AM -0800, Matthew Pounsett wrote:

> > I don't see why a list of poor DNS implementations should be limited to
> > malformed packets, and exclude well formed bad data.
> Because that's not a problem with the implementation, it's a problem with
> the data.

Actually, on the contrary, the problem is almost always with the
implementation.  It constructs incorrect denial of existence.  The
solution is upgrading or otherwise fixing bugs in the DNS servers.

Typically, the wrong NSEC/NSEC3 records are returned, failing to
establish the correct closest encloser proof.  Or no NSEC records
are returned at all.

Also, if the tooling used to manage the zone data consistently
creates bad data (incorrect signatures, ...), then the issue is
again not occasional "bad data" but rather systemic buggy software.


More information about the dns-operations mailing list