[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Florian Weimer fw at deneb.enyo.de
Sun Apr 19 11:52:35 UTC 2020

* Vladimír Čunát:

> (I don't react to the SERVFAIL from CloudFlare auth.)
> On 4/19/20 8:55 AM, Viktor Dukhovni wrote:
>> the NSEC RR promises TLSA records, among a rather oddball mix of
>> other rrtypes
> I believe that's normal for CloudFlare authoritatives, and so far I've
> noticed no real problems from that, apart from effects like less
> efficient caching.  Description:
> https://blog.cloudflare.com/black-lies/#dnsshotgun

For me, queries to alla.ns.cloudflare.com for
_25._tcp.mx01.mx-hosting.ch/IN/TLSA time out (even over TCP).  That
breaks denial of existence and thus DANE.  There is no obvious
client-side workaround because the NSEC RRset says that the TLSA RRset

Could this work if the authoriative server returned an RRSIG signature
of an empty TLSA RRset?

More information about the dns-operations mailing list