[dns-operations] Cloudflare TYPE65283

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 27 17:19:31 UTC 2023


On Mon, Mar 27, 2023 at 06:30:02PM +0200, Emmanuel Fusté wrote:

> > Do you have a list of operators that currently return just "RRSIG NSEC"
> > for ENTs?  Do you [know] what software they are running?
>
> I double check: route53/AWS currently return just "RRSIG NSEC"for ENTs.

Anyone else?

> Even worse, it seems that they infer answers to non edns or cleared DO 
> bit questions from a internal DNSSEC response even for non DNSSEC 
> enabled zone:

I am struggling to understand this, can you give an example?

> - they currently return NXDOMAIN for ENT on apparently non DNSSEC signed 
> zones.

The ENT handling at AWS has been known to be broken for some time.

    https://twitter.com/VDukhovni/status/1443681398905360384
    https://twitter.com/VDukhovni/status/1445236728269258753

> > The only other option is to introduce yet another sentinel that signals
> > that the node in question is an ENT, so that the bare "RRSIG NSEC"
> > combination is ultimately never used.
>
> Yes it was my conclusion too.

I am not entirely keen on yet another sentinel, but feel free to suggest it.
The draft is currently under discussion.

-- 
    Viktor.



More information about the dns-operations mailing list