[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?
ietf-dane at dukhovni.org
Sun Apr 14 18:54:18 UTC 2019
On Sun, Apr 14, 2019 at 11:19:09AM -0400, Shumon Huque wrote:
> Not sure I have any specific suggestions, other than that the DNS community
> could try to work collectively to ensure that all major DNS providers have
> protocol compliant behavior.
That'd be great. One recent problem "hotspot" is epik.com, where
I'm seeing many new problem domains showing. These signed domains
have only the zone apex in their NSEC chain, but TLSA queries for
sub-domains return NODATA rather than NXDOMAIN. This renders replies
for TLSA queries bogus, and breaks email delivery from DANE-enabled
For example (condensed):
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49327
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.h4ha.net. IN TLSA
h4ha.net. SOA ns1.epik.com. [...]
h4ha.net. NSEC h4ha.net. A NS SOA RRSIG NSEC DNSKEY CAA
There does appear to be a wildcard in play:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39918
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;*.h4ha.net. IN A
*.h4ha.net. RRSIG A 13 2 [...]
*.h4ha.net. A 188.8.131.52
but, as seen above, it is not included in the NSEC chain. The
behavior is identical across all ~3700 epik.com hosted domains I've
managed to find.
Most, but not all, of the domains don't have an SMTP server, and/or
are rather obscure, so the impact of the problem is presently minor,
but it is growing as epik.com expand their customer base.
More information about the dns-operations