[dns-operations] Cloudflare DNS resolver (1.1.1.1): Weird DNSSEC race condition

Marek Vavruša marek at vavrusa.com
Fri Aug 3 23:12:58 UTC 2018


This is due to the way how Knot Resolver deals with insecure
delegations currently. If the delegation doesn't have a DS, resolver
will remember the delegation as insecure and turn off DNSSEC until the
record expires from cache. The current cache maximum TTL is 3 hours,
which is when the NS+DS+DNSKEY was refetched. I've opened a ticket to
track this here
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/391

Marek

On 3 August 2018 at 14:28, Michael Sinatra <michael at brokendns.net> wrote:
> On 08/03/18 12:18, Michael Sinatra wrote:
>
>> I'll update this if/when all Cloudflare instances figure out that
>> they're supposed to validate my zone and return signatures when the DO
>> bit is set, but in the meantime, I'd say that using Cloudflare as part
>> of a forwarding, validating resolver configuration is "considered
>> dangerous."
>
> The US/west-coast instance began requesting RRSIGs and returning them at
> 14:18:25 PDT (this is when the DO bit was first set in queries to my
> authoritative servers).  This was approximately 3 hours after I inserted
> the DS record (and said record showed up in the cache of the same
> Cloudflare instance).  Note that I have also contacted
> noc at cloudflare.com on this issue, but I don't have any more specific
> contact for the 1.1.1.1 service.  (I have skimmed through the various
> blog posts on that service and can't find any operational contact info.)
>
> michael
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


More information about the dns-operations mailing list