[dns-operations] Google public DNS sometimes forwards incomplete subset of NSEC RRs
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Feb 6 06:13:01 UTC 2021
> On Sep 16, 2020, at 6:31 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> Now it is Google's turn. I still see an incomplete NSEC3 RRset from 8.8.8.8:
>
> $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
> _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
> runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
> runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
> *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
> *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
I am seeing this issue again, intermittently from various Google
DNS servers. Here's an example from 8.8.4.4:
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008714 14400 3600 1296000 3600
runbox.com. IN RRSIG SOA 13 2 86400 20210219161924 20210205144924 12629 runbox.com. <sig>
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
*.runbox.com. IN RRSIG NSEC 13 2 3600 20210219161924 20210205144924 12629 runbox.com. <sig>
Or DNSViz (3 of the four public IPs):
https://dnsviz.net/d/_25._tcp.mx.runbox.com/e/437682/dnssec/
--
Viktor.
More information about the dns-operations
mailing list