[dns-operations] Speaking of DNAMES, perhaps not entirely well handled at CloudFlare?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 30 05:19:21 UTC 2020 

The authoritative servers look fine to me and DNSViz:

    https://dnsviz.net/d/_25._tcp.yellow.xy1.nl/XoF-Kg/dnssec/

but, Cloudflare alone among the big four public DNS services returns
ServFail, along with most of the answer (sans DNAME RR):

    $ for ip in 1.0.0.1 1.1.1.1 8.8.4.4 8.8.8.8 64.6.64.6 64.6.65.6 9.9.9.10 149.112.112.10;
      do echo "@$ip"
         hsdig -n $ip -t tlsa _25._tcp.yellow.xy1.nl
      done
    @1.0.0.1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; ServFail AD=0
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; ServFail AD=0
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; ServFail AD=0

    @1.1.1.1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; ServFail AD=0
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; ServFail AD=0
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; ServFail AD=0

    @8.8.4.4
    _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1

    @8.8.8.8
    _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1

    @64.6.64.6
    _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1

    @64.6.65.6
    _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1

    @9.9.9.10
    _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1

    @149.112.112.10
    _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1
    _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1
    _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1
    _dane.xy1.nl. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1

-- 
    Viktor.

More information about the dns-operations mailing list