[dns-operations] Cloudflare (and perhaps also Google) public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs

Shumon Huque shuque at gmail.com
Tue Sep 1 13:22:09 UTC 2020


On Tue, Sep 1, 2020 at 4:24 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Tue, Sep 01, 2020 at 01:48:17AM -0400, Viktor Dukhovni wrote:
> >
> >         @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec
> [...]
>
> So I'm at a loss to explain what's happening...  Haven't seen any
> anomalous replies yet from either VRSN or Quad9.
>

It looks to me like a bug in Cloudflare and Google, and we probably need to
await their response to figure out what's going on.

Cloudflare omits the wildcard NODATA NSEC, and Google omits the no closer
match NSEC. Both are required. Interestingly, they both set AD=1, so
perhaps internally they authenticated the full NSEC set.

Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200901/20c8181d/attachment.html>


More information about the dns-operations mailing list