[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs
ietf-dane at dukhovni.org
Fri Jul 30 20:28:30 UTC 2021
On Fri, Jul 30, 2021 at 04:02:07PM -0400, Robert Evans wrote:
> > One zone with a CNAME loop and another with partly expired NSEC RRSIGs
> > via a no longer published ZSK.
> CNAME loops aren't valid, but aren't rejected by Cloud DNS.
Indeed, though for what it is worth, this particular case is special, in
that it is a wildcard CNAME pointing to a non-existent sibling in the
same zone, and so leads right back to the same wildcard. This is easy
to detect, and perhaps worthy of a warning to the zone owner.
> The invalid RRSIG looks broken, and we'll investigate. Thanks for reporting.
Thanks for looking into it.
More information about the dns-operations