[dns-operations] TLSA lookup SERVFAIL from CloudFlare auth servers?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Sep 29 21:48:54 UTC 2021
On Wed, Sep 29, 2021 at 02:33:42PM -0700, Vicky Shrestha wrote:
> > For some reason CloudFlare's auth servers are failing to return
> > a non-error reply for (at least):
> >
> > https://dnsviz.net/d/_25._tcp.mail1.gearnetwork.de/YU_q9g/dnssec/
> > https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/YVC-8g/dnssec/
>
> Thanks Victor for bringing this to our attention. Both of these records
> have invalid TLSA rdata. We are rolling out a fix to validate this in our
> API and will be reaching out to our customers to fix them.
Thanks, much appreciated!
While I've been less than enthusiastic on this list about iterative
nameservers (recursive resolvers) doing RDATA syntax validation, doing
such validation at the authoritative servers is less objectionable, and
I fully support RDATA validation when done before records are added to
the zone.
Compile-time type checks sure beat runtime errors.
--
Viktor.
More information about the dns-operations
mailing list