On Tue, Sep 1, 2020 at 4:24 AM Viktor Dukhovni <[email protected]> wrote:
> On Tue, Sep 01, 2020 at 01:48:17AM -0400, Viktor Dukhovni wrote: > > > > @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec > [...] > > So I'm at a loss to explain what's happening... Haven't seen any > anomalous replies yet from either VRSN or Quad9. > It looks to me like a bug in Cloudflare and Google, and we probably need to await their response to figure out what's going on. Cloudflare omits the wildcard NODATA NSEC, and Google omits the no closer match NSEC. Both are required. Interestingly, they both set AD=1, so perhaps internally they authenticated the full NSEC set. Shumon.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
