Viktor Dukhovni wrote: > On Fri, Apr 25, 2014 at 05:57:24PM -0400, Tom Ritter wrote: > > Furthermore, TLSA lookups via recursive resolvers SERVFAIL: > > $ dig +adflag +noall +comment +ans -t tlsa > _25._tcp.nist-gov.mail.protection.outlook.com > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36237 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > because, the authoritative nameservers are broken: > > $ dig +norecur +adflag +noall +comment +ans -t tlsa > _25._tcp.nist-gov.mail.protection.outlook.com > @ns1-proddns.glbdns.o365filtering.com > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 54501 > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
The authoritative nameservers return a perfectly valid and reasonable response, in full conformance with STD13. But in case that _all_ authoritative nameserver do return NOTIMP, then the recursive resolver is broken, because it is erroneously turning a crystal-clear STD13-compliant permanent failure into a temporary failure. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
