On Wed, Sep 29, 2021 at 02:33:42PM -0700, Vicky Shrestha wrote:
> > For some reason CloudFlare's auth servers are failing to return
> > a non-error reply for (at least):
> >
> > https://dnsviz.net/d/_25._tcp.mail1.gearnetwork.de/YU_q9g/dnssec/
> > https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/YVC-8g/dnssec/
>
> Thanks Victor for bringing this to our attention. Both of these records
> have invalid TLSA rdata. We are rolling out a fix to validate this in our
> API and will be reaching out to our customers to fix them.
Thanks, much appreciated!
While I've been less than enthusiastic on this list about iterative
nameservers (recursive resolvers) doing RDATA syntax validation, doing
such validation at the authoritative servers is less objectionable, and
I fully support RDATA validation when done before records are added to
the zone.
Compile-time type checks sure beat runtime errors.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
