[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Sep 16 20:31:24 UTC 2020
On Wed, Sep 16, 2020 at 11:50:31AM -0700, Marek Vavruša wrote:
> Hi Viktor, I forgot to update this thread, but this should be fixed.
Thanks! Looks much better now. Now it is Google's turn. I still see
an incomplete NSEC3 RRset from 8.8.8.8:
$ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
but the NSEC establishing the zone apex as the closest encloser (now
present in the CF responses):
$ hsdig -n1.0.0.1 -D -t tlsa _25._tcp.mx.runbox.com
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
is missing from the GOOG responses.
--
Viktor.
More information about the dns-operations
mailing list