The whole zone should have returned SERVFAIL not just the TLSA lookup. This is a requirement of STD13 and not doing this burnt us (BIND) back in the 1990’s. It also gets data errors fixed faster if the whole zone starts returning errors.
Mark > On 30 Sep 2021, at 07:48, Viktor Dukhovni <[email protected]> wrote: > > On Wed, Sep 29, 2021 at 02:33:42PM -0700, Vicky Shrestha wrote: > >>> For some reason CloudFlare's auth servers are failing to return >>> a non-error reply for (at least): >>> >>> https://dnsviz.net/d/_25._tcp.mail1.gearnetwork.de/YU_q9g/dnssec/ >>> https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/YVC-8g/dnssec/ >> >> Thanks Victor for bringing this to our attention. Both of these records >> have invalid TLSA rdata. We are rolling out a fix to validate this in our >> API and will be reaching out to our customers to fix them. > > Thanks, much appreciated! > > While I've been less than enthusiastic on this list about iterative > nameservers (recursive resolvers) doing RDATA syntax validation, doing > such validation at the authoritative servers is less objectionable, and > I fully support RDATA validation when done before records are added to > the zone. > > Compile-time type checks sure beat runtime errors. > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
