[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?

Shumon Huque shuque at gmail.com
Tue Apr 16 00:19:15 UTC 2019


On Mon, Apr 15, 2019 at 8:00 PM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Mon, Apr 15, 2019 at 07:40:03PM -0400, Shumon Huque wrote:
> [...]
> > It doesn't say: also make sure there are no contradictory facts being
> > asserted in the response, such as an NSEC record that denies the
> > existence of the wildcard that was deduced to exist by means of the
> > RRSIG in the answer section. It seems that resolvers could make any
> > number of quite complex deductions of this nature, but why would an
> > implementer go out of their way to do all that extra work? On the other
> > hand, this zone is clearly broken, so there is probably benefit in a
> > popular resolver flagging its responses as broken, if it acts as an
> > incentive to get this fixed.
>
> This could be an interaction with aggressive nsec.
>

Ah, great guess Viktor! Occam's razor likely wins again!?

Aggressive NSEC could probably explain it.

Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190415/57c2adcc/attachment.html>


More information about the dns-operations mailing list