--- Begin Message ---
Hi Mukund,
We are aware that this situation can arise given certain combinations of
referral size and EDNS0 buffer size. We're also aware of
draft-ietf-dnsop-glue-is-not-optional, and our engineers are figuring out how
best to update our software in that context. It would be nice if some of the
open questions around that draft could come to consensus.
I would be interested to know more about the resolvers you mention as having
trouble with this case. Either privately or on list.
In the meantime, of course, the registrant could certainly remove some of the
superfluous type 1 DS records to bring the referral size down if necessary.
(My apologies for the delay in responding, I was out of the office for a few
days.)
DW
> On Aug 19, 2020, at 10:33 AM, Mukund Sivaraman <[email protected]> wrote:
>
> We notice the following response from .com's namesevers:
>
> [muks@mx ~]$ dig +nord +dnssec +bufsize=512 @2001:502:1ca1::30 infoblox.com
>
> ; <<>> DiG 1.1.1.20200608151533.e8a2352e96 <<>> +nord +dnssec +bufsize=512
> @2001:502:1ca1::30 infoblox.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15448
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 11, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;infoblox.com. IN A
>
> ;; AUTHORITY SECTION:
> infoblox.com. 172800 IN NS ns1.infoblox.com.
> infoblox.com. 172800 IN NS ns2.infoblox.com.
> infoblox.com. 172800 IN NS ns3.infoblox.com.
> infoblox.com. 172800 IN NS ns4.infoblox.com.
> infoblox.com. 172800 IN NS ns5.infoblox.com.
> infoblox.com. 172800 IN NS ns6.infoblox.com.
> infoblox.com. 86400 IN DS 33613 5 2
> 339462CBAEB1773800EA8B688D2CA048FCAB0EB2933A97AEE2B86A9A 212F37C5
> infoblox.com. 86400 IN DS 33613 5 1
> 629C2D6C060E2133CD0F4470F3ECC8834DA4FAD6
> infoblox.com. 86400 IN DS 49879 5 2
> 605656DB7C9DFE4D8A453C350B3DA63039A78878DA089AD4247AB9A0 D3B43998
> infoblox.com. 86400 IN DS 49879 5 1
> C1DB78AD9A8928CB15A7E0CE9E4468D433F5C638
> infoblox.com. 86400 IN RRSIG DS 8 2 86400 20200823050241
> 20200816035241 24966 com.
> 0s/TnWuxLdVzCQqY0tVauNXeCpirT5rYacvEpxaQfTxCjP2XfZkqHy4A
> SNoGyYWGZQdxTa7zXVgrKuWOoKZ2CKxC/kd++VnEJKoFw3llOoq56Wz+
> lq65BS7E6/ZlE4Qgce8rhbBQVkE6Sk1YXkuxDbwoPYfvkHlfWaboeiNO
> 6y731Xcrq3vjqdG6YZCHyH64SSnVFypUiRN26H2HPsYsSg==
>
> ;; Query time: 19 msec
> ;; SERVER: 2001:502:1ca1::30#53(2001:502:1ca1::30)
> ;; WHEN: Wed Aug 19 17:30:29 GMT 2020
> ;; MSG SIZE rcvd: 512
>
> [muks@mx ~]$
>
>
> Glue address records are required in this delegation response, but none
> are returned. TC=1 is not set. This causes problems with some resolvers.
>
> Can someone at Verisign please check correctness of this response, and
> set TC=1 for such responses?
>
> It appears to be the problem statement of:
> https://secure-web.cisco.com/1QqHmwaQO268IxVLQk1vG77QkwUfoXr_FsBcOFC3WbBL0-z1sBokN2TQSQUIlO5MUEk8n-QDt5OqsF2XYKXj6HmPtF7d9WVmdFz1IvQLk5erNHt_LWYVK0dBO9yptLYEZ4EBBtErw5M_g__bNhppxQCIjmLWHTgO0OyJsUxZiJJT4oYqXZzP4WdRRZ9lBHWdA0TIjUw4AjyMyrwihFu9kPJxJ22ik6H8Tj5rP77dh9QCAC1kZc3pHQncJpgS7nil_fOSDWB4i_QxV7flDEQV89MBaqKba3UIaPlgYF2ejb0Q/https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-andrews-dnsop-glue-is-not-optional-01
>
> Mukund
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://secure-web.cisco.com/1ljZcR9ZM3atIeerJ95hsiha_l2uLsF6l6BLGUj7DskdX3f7uA1u_NsaWrLIFO0R4nD5Fd00JnD_E-VdYECtCPH8AiaDf9RoKTjaMGQd33oDfDdigZM1kLFHE0B4yN-PkznyZErWteBP6maqSgpcDUlIH8ce45yn4tCqmwEG5xov3TgvL7UzNr5jc59fZFWiPG4_n-jcN49u7IflMRhvdrTpcQpFxQRdMQqhqjsVBV0egt2YULsp8I6r81z_yjdThfWvK7iyvJPW9aLTkHJeuoQ/https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
