[dns-operations] coop. provides broken NSEC3 proofs of non-existence

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Mon Oct 23 09:08:56 UTC 2017


On 10/22/2017 02:42 PM, Stephane Bortzmeyer wrote:
> The Knot resolver (but not Unbound, BIND or Google Public DNS) thus
> returns SERVFAIL (should they?)
I believe the answers provided over IPv4 are valid but those over IPv6
are not.  I might be wrong, but I'm fairly confident about it now. 
Details of my reasoning:

As for http://dnsviz.net/d/ouvaton.coop/WexxZg/dnssec/ - it supports my
reasoning with one pair of NSEC3 RRs proving the delegation - those I
obtain via IPv4.  There's also another NSEC3 record shown, covering a
non-sensical range from VIO... to 23... and that's one I get via IPv6.


More information about the dns-operations mailing list