[dns-operations] (Fixed) DoE problem with ns-cloud-e{1, 2, 3, 4}.googledomains.com nameservers
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Feb 16 04:04:19 UTC 2018
The below reported problem has been fixed, and the RCODE is now
the expected NoData. My thanks to the folks who made it so.
http://dnsviz.net/d/_25._tcp.merchantsgrotto.com/WoS1KQ/dnssec/
> On Jan 14, 2018, at 3:41 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> http://dnsviz.net/d/_25._tcp.merchantsgrotto.com/dnssec/
>
> merchantsgrotto.com. NS ns-cloud-e1.googledomains.com.
> merchantsgrotto.com. NS ns-cloud-e2.googledomains.com.
> merchantsgrotto.com. NS ns-cloud-e3.googledomains.com.
> merchantsgrotto.com. NS ns-cloud-e4.googledomains.com.
>
> Given the following associated NSEC3 hashes:
>
> r0lsfskc1usuq45j8ai51ar3g0jpfbuk. _25._tcp.merchantsgrotto.com
> fpi07bou6d19cbivvmdhmc60io9brfm4. *._tcp.merchantsgrotto.com
> tv76u352sbfolnmtmbaljq9r17ju6puo. _tcp.merchantsgrotto.com
> h4776gipetqofb4uoc023st5teh3o4j0. *.merchantsgrotto.com
> 31h72dljn4dlhjg5ecfv0umcan7amgmi. merchantsgrotto.com
>
> We see that the googledomains.com nameservers return incorrect
> NXDOMAIN proofs. Based on the returned NSEC3 records, the
> answer should be NODATA, not NXDOMAIN, because there's an
> NSEC3 record whose hash matches "*.merchantsgrotto.com" (be it
> one with an empty RRtype bitmap).
--
Viktor.
More information about the dns-operations
mailing list