[dns-operations] [Resolved] Incomplete NSEC3 denial of existence from domaincontrol.com servers

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Dec 11 02:49:09 UTC 2019

On Sun, Dec 01, 2019 at 02:55:36PM -0500, Viktor Dukhovni wrote:

> [ This is still unresolved since the original post on Nov 24th, now at least
>   289 affected TLSA RRsets in 255 domains. Updated details at:
>   https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html ]
> The NSEC3 denial of existence for the TLSA records of at least 202 MX hosts (in
> 178 domains) is bogus, because the QNAME (or sometimes the wildcard if the
> qname is covered "by accident") is not covered by any NSEC3 RR.  In the below
> example (RRSIGs elided), the sole NSEC3 RR only covers the zone apex:

I am pleased to report that all but one of the ~290 domains are now resolved.
Thanks to Brian Dickson and the rest of the Godaddy team for taking care of
this promptly.  [ I expect the last domain will likewise be resolved soon,
but in any case there is no lingering systemic issue. ]


More information about the dns-operations mailing list