[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Sun Apr 19 07:56:53 UTC 2020


(I don't react to the SERVFAIL from CloudFlare auth.)

On 4/19/20 8:55 AM, Viktor Dukhovni wrote:
> the NSEC RR promises TLSA records, among a rather oddball mix of
> other rrtypes

I believe that's normal for CloudFlare authoritatives, and so far I've
noticed no real problems from that, apart from effects like less
efficient caching.  Description:
https://blog.cloudflare.com/black-lies/#dnsshotgun

At least they lie in the better direction - some servers actually deny
types they do want served:
https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0003.md



More information about the dns-operations mailing list