[dns-operations] coop. provides broken NSEC3 proofs of non-existence
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Mon Oct 23 09:08:56 UTC 2017
Hello!
On 10/22/2017 02:42 PM, Stephane Bortzmeyer wrote:
> The Knot resolver (but not Unbound, BIND or Google Public DNS) thus
> returns SERVFAIL (should they?)
I believe the answers provided over IPv4 are valid but those over IPv6
are not. I might be wrong, but I'm fairly confident about it now.
Details of my reasoning:
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/261#note_58800
As for http://dnsviz.net/d/ouvaton.coop/WexxZg/dnssec/ - it supports my
reasoning with one pair of NSEC3 RRs proving the delegation - those I
obtain via IPv4. There's also another NSEC3 record shown, covering a
non-sensical range from VIO... to 23... and that's one I get via IPv6.
--Vladimir
More information about the dns-operations
mailing list