[dns-operations] Cloudflare considered harmful?

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Apr 16 20:04:53 UTC 2020

On Thu, Apr 16, 2020 at 11:47:53AM -0700, Vicky Shrestha wrote:

> The fix is being rolled out to our canary POPs and it should be deployed in
> rest of the network next week.

Any chance you're also fixing the (likely DNAME-related) issue that's
breaking resolution of:

    _25._tcp.blue.xy1.nl. IN TLSA ? ; ServFail

>From other public resolvers I get:

    ; NoError AD=1
    _tcp.blue.xy1.nl. IN DNAME _tcp.xy1.nl.
    _25._tcp.blue.xy1.nl. IN CNAME _25._tcp.xy1.nl.
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl.
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

The TLSA lookup failure can break email deliver from DANE-enabled MTAs
that use Cloudflare DNS forwarders.


More information about the dns-operations mailing list