[dns-operations] [Update] Incomplete NSEC3 denial of existence from domaincontrol.com servers
Brian L. King
blk at godaddy.com
Mon Dec 2 17:02:08 UTC 2019
This is being addressed.
Thanks.
--
Brian L. King (blk at godaddy.com<mailto:blk at godaddy.com>)
Senior Linux/DNS Systems Administrator, Go Daddy
AZ time zone (http://x.co/aztime)
:wq!
On Sun, 2019-12-01 at 14:55 -0500, Viktor Dukhovni wrote:
[ This is still unresolved since the original post on Nov 24th, now at least
289 affected TLSA RRsets in 255 domains. Updated details at:
<https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html>
https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html
]
The NSEC3 denial of existence for the TLSA records of at least 202 MX hosts (in
178 domains) is bogus, because the QNAME (or sometimes the wildcard if the
qname is covered "by accident") is not covered by any NSEC3 RR. In the below
example (RRSIGs elided), the sole NSEC3 RR only covers the zone apex:
[snip]
--
Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191202/ed08c24a/attachment.html>
More information about the dns-operations
mailing list