[dns-operations] Assistance Request: OpenDNS Not Resolving Certain .realtor™ Domains
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Dec 3 11:03:54 UTC 2025
On Wed, Dec 03, 2025 at 11:01:38AM +0100, Ondřej Surý wrote:
> Ok, look at the NSEC3 proof that the servers give:
>
> vesdsjhfre0tap5h15gth2f925g1nj4c.realtor. 3600 IN NSEC3 1 1 0 - (
> VESDSJHFRE0TAP5H15GTH2F925G1NJ4C
> NS )
>
> The NSEC3 record points back to itself instead of to the next name and it is being properly rejected as invalid.
Are you sure that's invalid? A record that isn't last isn't supposed to
point backwawrds, but must otherwise the next value be a strict
successor (>) or merely not a strict predecessor (>=)?
The NSEC3 in question is a "covering" record, since the qname hash falls
between the two values. I don't see clear language in RFC5155 that
precludes this (adminttedly fragile) corner case.
One might credibly argue that BIND is too strict, while at the same time
also credibly argue that the signer is unwise to push its luck.
--
Viktor. 🇺🇦 Слава Україні!
More information about the dns-operations
mailing list