On Tue, Oct 13, 2015 at 08:02:35PM +0000, Viktor Dukhovni wrote:
> On Tue, Oct 13, 2015 at 09:42:37PM +0200, Andreas Pothe wrote:
>
> > Can you confirm that addons.mozilla.org has a broken DANE entry?
>
> No, not DANE, in fact no TLSA records published). Rather, they
> have DNS nameserver issues:
>
> http://dnsviz.net/d/_443._tcp.addons.mozilla.net/dnssec/
>
> The akamai nameservers are returning non-authoritative NXDOMAIN
> responses with no SOA record! The responses should be authoritative
> and have an SOA.
Mind you, the above is generally tolerated. The other issue reported
by dnsviz is that one of the servers may have and EDNS0 UDP MTU
issue.
--
Viktor.
