[dns-operations] TLSA lookup SERVFAIL from CloudFlare auth servers?

Vicky Shrestha vicky at geeks.net.np
Tue Oct 5 22:13:06 UTC 2021


Hi,



On Wed, Sep 29, 2021 at 14:56 Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Wed, Sep 29, 2021 at 02:33:42PM -0700, Vicky Shrestha wrote:
>
> > > For some reason CloudFlare's auth servers are failing to return
> > > a non-error reply for (at least):
> > >
> > >   https://dnsviz.net/d/_25._tcp.mail1.gearnetwork.de/YU_q9g/dnssec/
> > >   https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/YVC-8g/dnssec/
> >
> > Thanks Victor for bringing  this to our attention. Both of these records
> > have invalid TLSA rdata. We are rolling out a fix to validate this in our
> > API and will be reaching out to our customers to fix them.



API Validation has been added and rolled out to production.

Thanks again for reporting this issue.

>
>
> Thanks, much appreciated!
>
> While I've been less than enthusiastic on this list about iterative
> nameservers (recursive resolvers) doing RDATA syntax validation, doing
> such validation at the authoritative servers is less objectionable, and
> I fully support RDATA validation when done before records are added to
> the zone.
>
> Compile-time type checks sure beat runtime errors.
>
> --
>         Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-- 
With Regards,

Vicky Shrestha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211005/f61e90f2/attachment-0001.html>


More information about the dns-operations mailing list