[dns-operations] [Update] Incomplete NSEC3 denial of existence from domaincontrol.com servers

Brian L. King blk at godaddy.com
Mon Dec 2 17:02:08 UTC 2019


This is being addressed.

Thanks.


--

Brian L. King (blk at godaddy.com<mailto:blk at godaddy.com>)
Senior Linux/DNS Systems Administrator, Go Daddy
AZ time zone (http://x.co/aztime)
:wq!


On Sun, 2019-12-01 at 14:55 -0500, Viktor Dukhovni wrote:

[ This is still unresolved since the original post on Nov 24th, now at least

  289 affected TLSA RRsets in 255 domains. Updated details at:



<https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html>

https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html

 ]


The NSEC3 denial of existence for the TLSA records of at least 202 MX hosts (in

178 domains) is bogus, because the QNAME (or sometimes the wildcard if the

qname is covered "by accident") is not covered by any NSEC3 RR.  In the below

example (RRSIGs elided), the sole NSEC3 RR only covers the zone apex:



[snip]


--

   Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191202/ed08c24a/attachment.html>


More information about the dns-operations mailing list