[dns-operations] Anyone on this list from Arbor Networks (or know a solid engineering contact)?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jun 19 05:35:43 UTC 2018
The recently reported issues, broadly affecting (at least)
a few thousand domains under nic.in, were, as surmised, due
to a misconfigured Arbor Networks firewall, in which DNS
filters were enabled that drop queries for all but the most
common RR types. The telltale behaviour is that TLSA
lookups get through to the domain's IPv6 nameservers but
are dropped by the IPv4 nameservers, while the same qname
with type "A" gets through over IPv4.
This feature is akin to a loaded shotgun pointed at both of
the customer's own feet. It would be really super for this
feature to be removed from the product, and perhaps for an
advisory to go out to existing customers that the feature
turned out in retrospect to do more harm than good and should
be disabled in any legacy software versions that still make
the misconfiguration possible...
--
Viktor.
More information about the dns-operations
mailing list