[dns-operations] Cloudflare considered harmful?
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Apr 16 20:04:53 UTC 2020
On Thu, Apr 16, 2020 at 11:47:53AM -0700, Vicky Shrestha wrote:
> The fix is being rolled out to our canary POPs and it should be deployed in
> rest of the network next week.
Any chance you're also fixing the (likely DNAME-related) issue that's
breaking resolution of:
_25._tcp.blue.xy1.nl. IN TLSA ? ; ServFail
>From other public resolvers I get:
; NoError AD=1
;
_tcp.blue.xy1.nl. IN DNAME _tcp.xy1.nl.
_25._tcp.blue.xy1.nl. IN CNAME _25._tcp.xy1.nl.
_25._tcp.xy1.nl. IN CNAME _dane.xy1.nl.
_dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
The TLSA lookup failure can break email deliver from DANE-enabled MTAs
that use Cloudflare DNS forwarders.
--
Viktor.
More information about the dns-operations
mailing list