[dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

Matt Nordhoff lists at mn0.us
Thu Sep 22 10:55:00 UTC 2022

On Thu, Sep 22, 2022 at 9:17 AM Warren Kumari <warren at kumari.net> wrote:
> [ - bs ]
> There is a very similar issue with 'production.cloudflare.docker.com'
> (https://dnsviz.net/d/production.cloudflare.docker.com/dnssec/):
> A query for production.cloudflare.docker.com results in a NOERROR response, while a query for its ancestor, cloudflare.docker.com, returns a name error (NXDOMAIN), which indicates that subdomains of cloudflare.docker.com, including production.cloudflare.docker.com, don't exist.
> This broke my ability to use docker for a while — I'd enabled strict qname minimization as a test, and then needed to update some containers in an emergency. It took a while to debug the issues…
> W

That's Amazon Route 53 for you. There were at least 2 threads about
ENTs on the old AWS forum (one started by yours truly) before they got
rid of it.

IIRC, they were reluctant to fix it because they were concerned that
changing (correcting) ENT wildcard behavior would break things for
some of their users.

At least one AWS team has deployed the other "fix", a pointless TXT record:

$ dig elb.amazonaws.com txt

(In signed responses, Route 53 uses NSEC black lies. ENTs are handled
Matt Nordhoff

More information about the dns-operations mailing list