[dns-operations] Cloudflare public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Tue Sep 1 08:36:52 UTC 2020


On 9/1/20 9:58 AM, Stephane Bortzmeyer wrote:
> AFAIK, Cloudflare uses Knot Resolver. I tested with another Knot
> resolver and it works:

I think they originally started the service quite close Knot Resolver
code, but they've apparently diverged quite a bit since then (I don't
know).  To be sure, I had tested this report today and failed to get any
problem with our current code.

A related difference between 1.1.1.1 and Knot Resolver I now noticed:
they don't seem to be doing aggressive NSEC caching, whereas Knot
Resolver has it since January 2018 (it it could never be turned off on
signed names).

--Vladimir (Knot Resolver)




More information about the dns-operations mailing list