[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jul 30 20:28:30 UTC 2021

On Fri, Jul 30, 2021 at 04:02:07PM -0400, Robert Evans wrote:
> > One zone with a CNAME loop and another with partly expired NSEC RRSIGs
> > via a no longer published ZSK.
> CNAME loops aren't valid, but aren't rejected by Cloud DNS.

Indeed, though for what it is worth, this particular case is special, in
that it is a wildcard CNAME pointing to a non-existent sibling in the
same zone, and so leads right back to the same wildcard.  This is easy
to detect, and perhaps worthy of a warning to the zone owner.

> The invalid RRSIG looks broken, and we'll investigate. Thanks for reporting.

Thanks for looking into it.


More information about the dns-operations mailing list