[dns-operations] .com delegation responses when glue addresses don't fit

Mukund Sivaraman muks at mukund.org
Wed Aug 19 17:33:20 UTC 2020


We notice the following response from .com's namesevers:

[muks at mx ~]$ dig +nord +dnssec +bufsize=512 @2001:502:1ca1::30 infoblox.com

; <<>> DiG 1.1.1.20200608151533.e8a2352e96 <<>> +nord +dnssec +bufsize=512 @2001:502:1ca1::30 infoblox.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15448
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 11, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;infoblox.com.			IN	A

;; AUTHORITY SECTION:
infoblox.com.		172800	IN	NS	ns1.infoblox.com.
infoblox.com.		172800	IN	NS	ns2.infoblox.com.
infoblox.com.		172800	IN	NS	ns3.infoblox.com.
infoblox.com.		172800	IN	NS	ns4.infoblox.com.
infoblox.com.		172800	IN	NS	ns5.infoblox.com.
infoblox.com.		172800	IN	NS	ns6.infoblox.com.
infoblox.com.		86400	IN	DS	33613 5 2 339462CBAEB1773800EA8B688D2CA048FCAB0EB2933A97AEE2B86A9A 212F37C5
infoblox.com.		86400	IN	DS	33613 5 1 629C2D6C060E2133CD0F4470F3ECC8834DA4FAD6
infoblox.com.		86400	IN	DS	49879 5 2 605656DB7C9DFE4D8A453C350B3DA63039A78878DA089AD4247AB9A0 D3B43998
infoblox.com.		86400	IN	DS	49879 5 1 C1DB78AD9A8928CB15A7E0CE9E4468D433F5C638
infoblox.com.		86400	IN	RRSIG	DS 8 2 86400 20200823050241 20200816035241 24966 com. 0s/TnWuxLdVzCQqY0tVauNXeCpirT5rYacvEpxaQfTxCjP2XfZkqHy4A SNoGyYWGZQdxTa7zXVgrKuWOoKZ2CKxC/kd++VnEJKoFw3llOoq56Wz+ lq65BS7E6/ZlE4Qgce8rhbBQVkE6Sk1YXkuxDbwoPYfvkHlfWaboeiNO 6y731Xcrq3vjqdG6YZCHyH64SSnVFypUiRN26H2HPsYsSg==

;; Query time: 19 msec
;; SERVER: 2001:502:1ca1::30#53(2001:502:1ca1::30)
;; WHEN: Wed Aug 19 17:30:29 GMT 2020
;; MSG SIZE  rcvd: 512

[muks at mx ~]$


Glue address records are required in this delegation response, but none
are returned. TC=1 is not set. This causes problems with some resolvers.

Can someone at Verisign please check correctness of this response, and
set TC=1 for such responses?

It appears to be the problem statement of:
https://tools.ietf.org/html/draft-andrews-dnsop-glue-is-not-optional-01

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200819/591b83b7/attachment.sig>


More information about the dns-operations mailing list