[dns-operations] Cloudflare DNS resolver ( Weird DNSSEC race condition

Michael Sinatra michael at brokendns.net
Fri Aug 3 21:28:02 UTC 2018

On 08/03/18 12:18, Michael Sinatra wrote:

> I'll update this if/when all Cloudflare instances figure out that
> they're supposed to validate my zone and return signatures when the DO
> bit is set, but in the meantime, I'd say that using Cloudflare as part
> of a forwarding, validating resolver configuration is "considered
> dangerous."

The US/west-coast instance began requesting RRSIGs and returning them at
14:18:25 PDT (this is when the DO bit was first set in queries to my
authoritative servers).  This was approximately 3 hours after I inserted
the DS record (and said record showed up in the cache of the same
Cloudflare instance).  Note that I have also contacted
noc at cloudflare.com on this issue, but I don't have any more specific
contact for the service.  (I have skimmed through the various
blog posts on that service and can't find any operational contact info.)


More information about the dns-operations mailing list