[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Apr 14 18:54:18 UTC 2019

On Sun, Apr 14, 2019 at 11:19:09AM -0400, Shumon Huque wrote:

> Not sure I have any specific suggestions, other than that the DNS community
> could try to work collectively to ensure that all major DNS providers have
> protocol compliant behavior.

That'd be great.  One recent problem "hotspot" is epik.com, where
I'm seeing many new problem domains showing.  These signed domains
have only the zone apex in their NSEC chain, but TLSA queries for
sub-domains return NODATA rather than NXDOMAIN.  This renders replies
for TLSA queries bogus, and breaks email delivery from DANE-enabled

For example (condensed):

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49327
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
    ;_25._tcp.h4ha.net.     IN TLSA
    h4ha.net.               SOA     ns1.epik.com. [...]
    h4ha.net.               NSEC    h4ha.net. A NS SOA RRSIG NSEC DNSKEY CAA

There does appear to be a wildcard in play:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39918
    ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    ;*.h4ha.net.            IN A
    *.h4ha.net.             RRSIG   A 13 2 [...]
    *.h4ha.net.             A

but, as seen above, it is not included in the NSEC chain.  The
behavior is identical across all ~3700 epik.com hosted domains I've
managed to find.

Most, but not all, of the domains don't have an SMTP server, and/or
are rather obscure, so the impact of the problem is presently minor,
but it is growing as epik.com expand their customer base.


More information about the dns-operations mailing list