[dns-operations] (Fixed) DoE problem with ns-cloud-e{1, 2, 3, 4}.googledomains.com nameservers

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Feb 16 04:04:19 UTC 2018

The below reported problem has been fixed, and the RCODE is now
the expected NoData.  My thanks to the folks who made it so.


> On Jan 14, 2018, at 3:41 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> http://dnsviz.net/d/_25._tcp.merchantsgrotto.com/dnssec/
> merchantsgrotto.com.    NS      ns-cloud-e1.googledomains.com.
> merchantsgrotto.com.    NS      ns-cloud-e2.googledomains.com.
> merchantsgrotto.com.    NS      ns-cloud-e3.googledomains.com.
> merchantsgrotto.com.    NS      ns-cloud-e4.googledomains.com.
> Given the following associated NSEC3 hashes:
> r0lsfskc1usuq45j8ai51ar3g0jpfbuk. _25._tcp.merchantsgrotto.com
> fpi07bou6d19cbivvmdhmc60io9brfm4. *._tcp.merchantsgrotto.com
> tv76u352sbfolnmtmbaljq9r17ju6puo. _tcp.merchantsgrotto.com
> h4776gipetqofb4uoc023st5teh3o4j0. *.merchantsgrotto.com
> 31h72dljn4dlhjg5ecfv0umcan7amgmi. merchantsgrotto.com
> We see that the googledomains.com nameservers return incorrect
> NXDOMAIN proofs.  Based on the returned NSEC3 records, the
> answer should be NODATA, not NXDOMAIN, because there's an
> NSEC3 record whose hash matches "*.merchantsgrotto.com" (be it
> one with an empty RRtype bitmap).


More information about the dns-operations mailing list