On Tue, Jan 28, 2020 at 08:48:51AM +0100, Tom Ivar Helbekkmo wrote:
> > The problems are visible using dnsviz:
>
> ...which showed that Neustar's "UltraDNS" name servers were mishandling
> ENTs, causing trouble for resolvers that use qname minimization and/or
> do careful DNSSEC validation. Well, no more:
>
> > https://dnsviz.net/d/slc.paypal.com/dnssec/
> > https://dnsviz.net/d/_domainkey.paypal.com/dnssec/
>
> The good folks at Neustar took this problem seriously. They followed up
> my problem report diligently, and have just rolled out a new version of
> their software, with the bug fixed.
While Paypal may well be resolved, at least 408 other domains are still
not returning the requisite NSEC (or NSEC3) RRs. For example:
https://dnsviz.net/d/_25._tcp.sili.dev/dnssec/
https://dnsviz.net/d/_25._tcp.e33.info/dnssec/
- Hooray! Algorithm 13 (P256) CSK.
- Oops, NXDOMAIN with no NSEC!
Perhaps, in addition to the software update, zone files for the affected
domains also need to be rebuilt (to repair the NSEC chains), which may
take more time. If so, with a bit of luck, I should see a decline in
the number of affected domains over the coming days.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
