[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Sep 16 20:31:24 UTC 2020


On Wed, Sep 16, 2020 at 11:50:31AM -0700, Marek Vavruša wrote:
> Hi Viktor, I forgot to update this thread, but this should be fixed.

Thanks!  Looks much better now.  Now it is Google's turn.  I still see
an incomplete NSEC3 RRset from 8.8.8.8:

    $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
    _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
    runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
    runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
    *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
    *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>

but the NSEC establishing the zone apex as the closest encloser (now
present in the CF responses):

    $ hsdig -n1.0.0.1 -D -t tlsa _25._tcp.mx.runbox.com
    _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
    runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
    runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
    munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
    munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
    *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
    *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>

is missing from the GOOG responses.

-- 
    Viktor.



More information about the dns-operations mailing list