[dns-operations] TLSA lookup SERVFAIL from CloudFlare auth servers?
Mark Andrews
marka at isc.org
Wed Sep 29 22:06:44 UTC 2021
The whole zone should have returned SERVFAIL not just the TLSA lookup.
This is a requirement of STD13 and not doing this burnt us (BIND) back
in the 1990’s. It also gets data errors fixed faster if the whole zone
starts returning errors.
Mark
> On 30 Sep 2021, at 07:48, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> On Wed, Sep 29, 2021 at 02:33:42PM -0700, Vicky Shrestha wrote:
>
>>> For some reason CloudFlare's auth servers are failing to return
>>> a non-error reply for (at least):
>>>
>>> https://dnsviz.net/d/_25._tcp.mail1.gearnetwork.de/YU_q9g/dnssec/
>>> https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/YVC-8g/dnssec/
>>
>> Thanks Victor for bringing this to our attention. Both of these records
>> have invalid TLSA rdata. We are rolling out a fix to validate this in our
>> API and will be reaching out to our customers to fix them.
>
> Thanks, much appreciated!
>
> While I've been less than enthusiastic on this list about iterative
> nameservers (recursive resolvers) doing RDATA syntax validation, doing
> such validation at the authoritative servers is less objectionable, and
> I fully support RDATA validation when done before records are added to
> the zone.
>
> Compile-time type checks sure beat runtime errors.
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list