[dns-operations] Cloudflare DNS resolver ( Weird DNSSEC race condition

Michael Sinatra michael at brokendns.net
Sat Aug 4 00:53:17 UTC 2018

On 08/03/18 16:12, Marek Vavruša wrote:
> This is due to the way how Knot Resolver deals with insecure
> delegations currently. If the delegation doesn't have a DS, resolver
> will remember the delegation as insecure and turn off DNSSEC until the
> record expires from cache. The current cache maximum TTL is 3 hours,
> which is when the NS+DS+DNSKEY was refetched. I've opened a ticket to
> track this here
> https://gitlab.labs.nic.cz/knot/knot-resolver/issues/391

Yikes...well that explains the 3 hour delay on that one instance of

I knew you folks were using knot-resolver at the core of the
service, but wasn't sure if that or a Cloudflare optimization was the
cause of what I was seeing, so I didn't think to try to replicate it on
knot-resolver.  Thanks for opening the issue with CZ NIC.


More information about the dns-operations mailing list