[dns-operations] Anyone here from epik.com?
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Jan 15 22:35:30 UTC 2021
I am looking for a DNS engineering contact at epik.com, where customer
zones with wildcard labels immediately below the zone apex routinely
don't make it into the NSEC chain, breaking denial of existence.
For many (over 30.8k) domains, the zone apex is the only node in the
NSEC chain, despite the presence of a wildcard A record:
$ dig +cd +dnssec +noall +auth +ans +nocl +nottl -t a '*.objectmix.com'
*.objectmix.com. A 88.214.207.96
*.objectmix.com. RRSIG A 13 2 300 20210128000000 20210107000000 1879 objectmix.com. <...>
$ dig +cd +dnssec +noall +auth +ans +nocl +nottl -t txt '*.objectmix.com'
objectmix.com. SOA ns3.epik.com. support.epik.com. 2020102802 10800 3600 604800 3600
objectmix.com. RRSIG SOA 13 2 3600 20210128000000 20210107000000 1879 objectmix.com. <...>
objectmix.com. NSEC objectmix.com. A NS SOA RRSIG NSEC DNSKEY CAA
objectmix.com. RRSIG NSEC 13 2 3600 20210128000000 20210107000000 1879 objectmix.com. <...>
It would be great to see this resolved.
--
Viktor.
More information about the dns-operations
mailing list