[dns-operations] coop. provides broken NSEC3 proofs of non-existence

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Mon Oct 23 09:08:56 UTC 2017


Hello!

On 10/22/2017 02:42 PM, Stephane Bortzmeyer wrote:
> The Knot resolver (but not Unbound, BIND or Google Public DNS) thus
> returns SERVFAIL (should they?)
I believe the answers provided over IPv4 are valid but those over IPv6
are not.  I might be wrong, but I'm fairly confident about it now. 
Details of my reasoning:
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/261#note_58800

As for http://dnsviz.net/d/ouvaton.coop/WexxZg/dnssec/ - it supports my
reasoning with one pair of NSEC3 RRs proving the delegation - those I
obtain via IPv4.  There's also another NSEC3 record shown, covering a
non-sensical range from VIO... to 23... and that's one I get via IPv6.

--Vladimir




More information about the dns-operations mailing list