--- Begin Message ---
Hi,
Last month or so I saw two domains, postnl.nl <http://postnl.nl/> and
minjenv.nl <http://minjenv.nl/>, return incomplete NSEC3 records where existing
records where omitted from the Type Bit Maps.
This caused strange intermittent failures when a resolver was used that
implements aggressive use of DNSSEC validated cache (RFC8198, 4 years old), e.g
powerdns recursor 4.5.x.
e.g., the minjenv has a mx record, but it is not listed in the NSEC3 you’ll get
if you query for the non existent A/AAAA record (only NS SOA RRSIG DNSKEY
NSEC3PARAM) causing mail delivery failures until the TTL expires. postnl.nl
<http://postnl.nl/> has A/AAAA, but the NSEC3 seen for a nonexistent query only
has NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
It is not as such to contact the dns operators and persuade them to upgrade/fix
their software used for DNSSEC signing, but more as should we do more analysis
of this phenomenon and even have a dns flag day before even more resolvers and
operators are going to implement RFC8198? There might be an issue by
deliberately exploiting this and make websites/mail unreachable.
Best regards,
Ruben
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
