In message <[email protected]>, Viktor Dukhovni writes:
> There are some domains that have *only* deployed DNSSEC (e.g. much > of the ".gov" TLD), and have not yet done anything with DANE, but > which have broken firewalls that block requests for "unexpected" DNS > query RRtypes. > > https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-07 There are TLD operators that break lookups based on the query type. See: http://ednscomp.isc.org/compliance/tld-typereport.txt The "CDS=refused" are, we believe, due to a bug in BIND 9.8.8/9.9.6/9.10.1 which is fixed in BIND 9.9.7/9.10.2. BIND 9.8.8/9.9.6/9.10.1 add master file support for CDS. 4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491] Firewalls are a pain in the backside for DNS. Do anything sightly different but still with well defined server behaviour specified and you will see a firewall drop it. http://ednscomp.isc.org/compliance/summary.html Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
