[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jul 29 03:31:18 UTC 2021


On Wed, Jul 28, 2021 at 10:04:23PM -0400, Puneet Sood wrote:

> The problem has been fixed for a couple of months now. Thanks for reporting.
> 
> $ dig @8.8.8.8 _4._tcp.mx.runbox.com. IN TLSA +dnssec +nocomment +nocrypto
> 
> ; <<>> DiG 9.10.6 <<>> @8.8.8.8 _4._tcp.mx.runbox.com. IN TLSA +dnssec +nocomment +nocrypto
> ; (1 server found)
> ;; global options: +cmd
> ;_4._tcp.mx.runbox.com. IN TLSA
> runbox.com. 1204 IN SOA dns61.copyleft.no. hostmaster.copyleft.no.  3000008995 14400 3600 1296000 3600
> runbox.com. 1204 IN RRSIG SOA 13 2 86400 20210809115838 20210726102838 7485 runbox.com. [omitted]
> mx.runbox.com. 3003 IN NSEC _25._tcp.mx.runbox.com. A RRSIG NSEC
> mx.runbox.com. 3003 IN RRSIG NSEC 13 3 3600 20210809115838 20210726102838 7485 runbox.com. [omitted]
> _25._tcp.mx.runbox.com. 3003 IN NSEC ipmi.mysql01.runbox.com. CNAME RRSIG NSEC
> _25._tcp.mx.runbox.com. 3003 IN RRSIG NSEC 13 5 3600 20210809115838 20210726102838 7485 runbox.com. [omitted]

Thanks.  Much appreciated.  The only other Google-DNS related issues
I have are on the authoritative side (perhaps not your department?):

    http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/google.com.html

One zone with a CNAME loop and another with partly expired NSEC RRSIGs
via a no longer published ZSK.

-- 
    Viktor.


More information about the dns-operations mailing list