<html><head></head><body><div><div><div class=""><div class=""><div class=""><div class="">[ - bs ] <br></div><div class=""><br></div><div class="">There is a very similar issue with '<a href="http://production.cloudflare.docker.com/">production.cloudflare.docker.com</a>'<br></div><div class="">(<a href="https://dnsviz.net/d/production.cloudflare.docker.com/dnssec/">https://dnsviz.net/d/production.cloudflare.docker.com/dnssec/</a>):<br></div><div class=""><br></div></div></div></div><div>A query for <a href="http://production.cloudflare.docker.com/">production.cloudflare.docker.com</a> results in a NOERROR response, while a query for its ancestor, <a href="http://cloudflare.docker.com/">cloudflare.docker.com</a>, returns a name error (NXDOMAIN), which indicates that subdomains of <a href="http://cloudflare.docker.com/">cloudflare.docker.com</a>, including <a href="http://production.cloudflare.docker.com/">production.cloudflare.docker.com</a>, don't exist.<br></div><div><br></div><div>This broke my ability to use docker for a while — I'd enabled strict qname minimization as a test, and then needed to update some containers in an emergency. It took a while to debug the issues…<br></div><div><br></div><div>W</div><div><br></div><div class=""><div><br></div><div class="sh-quoted-content"><div class=""><div class="gmail_quote"><div>On Wed, Sep 21, 2022 at 8:33 AM, Viktor Dukhovni <span dir="ltr" class=""><<a href="mailto:ietf-dane@dukhovni.org" target="_blank" class="">ietf-dane@dukhovni.org</a>></span> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_extra"><div class="gmail_quote"><p class="">The .<a target="_blank" rel="noopener noreferrer" href="http://com.bs/" class="">COM.<wbr>BS</a> is an empty non-terminal with various child domains
registered beneath. The "<a target="_blank" rel="noopener noreferrer" href="http://ns36.cdns.net/" class="">ns36.<wbr>cdns.<wbr>net</a>" nameserver for .BS responds
with NXDOMAIN to "<a target="_blank" rel="noopener noreferrer" href="http://com.bs/" class="">com.<wbr>bs</a>" qname-minimised queries.
<br></p><p class="">
This in turn can and does sometimes lead to NXDOMAIN inference for the
child domains.
<br></p><p class="">
This nameserver needs to be withdrawn and fixed before it is returned to
service.
<br></p><p class="">
2001:678:4::24 <a target="_blank" rel="noopener noreferrer" href="http://ns36.cdns.net/" class="">ns36.<wbr>cdns.<wbr>net</a>
<br>
194.0.1.36 <a target="_blank" rel="noopener noreferrer" href="http://ns36.cdns.net/">ns36.cdns.net</a>
</p><p class="">
Example responses:
<br></p><p class="">
@<a href="http://194.0.1.36">194.0.1.36</a>
<br></p><p class="">
;; Got answer:
<br>
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3297
<br>
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
</p><p class="">
;; OPT PSEUDOSECTION:
<br>
; EDNS: version: 0, flags:; udp: 4096
<br>
;; QUESTION SECTION:
<br>
;<a target="_blank" rel="noopener noreferrer" href="http://com.bs/" class="">com.<wbr>bs</a>. IN SOA
</p><p class="">
;; AUTHORITY SECTION:
<br>
bs. SOA <a target="_blank" rel="noopener noreferrer" href="http://dns.nic.bs/" class="">dns.<wbr>nic.<wbr>bs</a>. <a target="_blank" rel="noopener noreferrer" href="http://bsadmin.cob.edu.bs/" class="">bsadmin.<wbr>cob.<wbr>edu.<wbr>bs</a>. 2022092000 3600 900 1814400 9000
</p><p class="">
@2001:678:4::24
<br></p><p class="">
;; Got answer:
<br>
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39616
<br>
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
</p><p class="">
;; OPT PSEUDOSECTION:
<br>
; EDNS: version: 0, flags:; udp: 4096
<br>
;; QUESTION SECTION:
<br>
;<a target="_blank" rel="noopener noreferrer" href="http://com.bs/" class="">com.<wbr>bs</a>. IN SOA
</p><p class="">
;; AUTHORITY SECTION:
<br>
bs. SOA <a target="_blank" rel="noopener noreferrer" href="http://dns.nic.bs/" class="">dns.<wbr>nic.<wbr>bs</a>. <a target="_blank" rel="noopener noreferrer" href="http://bsadmin.cob.edu.bs/" class="">bsadmin.<wbr>cob.<wbr>edu.<wbr>bs</a>. 2022092000 3600 900 1814400 9000
</p><p class="">
--
<br>
Viktor.
<br>
_______________________________________________
<br>
dns-operations mailing list
<br>
<a target="_blank" rel="noopener noreferrer" href="mailto:dns-operations@lists.dns-oarc.net" class="">dns-operations@<wbr>lists.<wbr>dns-oarc.<wbr>net</a>
<br>
<a target="_blank" rel="noopener noreferrer" href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></p></div></div></blockquote></div></div></div></div><div><br></div></div><div></div></div></body></html>