[dns-operations] [Resolved] Incomplete NSEC3 denial of existence from domaincontrol.com servers
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Dec 11 02:49:09 UTC 2019
On Sun, Dec 01, 2019 at 02:55:36PM -0500, Viktor Dukhovni wrote:
> [ This is still unresolved since the original post on Nov 24th, now at least
> 289 affected TLSA RRsets in 255 domains. Updated details at:
> https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html ]
>
> The NSEC3 denial of existence for the TLSA records of at least 202 MX hosts (in
> 178 domains) is bogus, because the QNAME (or sometimes the wildcard if the
> qname is covered "by accident") is not covered by any NSEC3 RR. In the below
> example (RRSIGs elided), the sole NSEC3 RR only covers the zone apex:
I am pleased to report that all but one of the ~290 domains are now resolved.
Thanks to Brian Dickson and the rest of the Godaddy team for taking care of
this promptly. [ I expect the last domain will likewise be resolved soon,
but in any case there is no lingering systemic issue. ]
--
Viktor.
More information about the dns-operations
mailing list