On Fri, Sep 05, 2014 at 03:11:49PM +0000, Viktor Dukhovni wrote:
> Thanks. I wrote to the operators of the DNS servers, and they are
> planning to fix the bug, but implemented a short-term work-around,
> where the wildcard CNAME was replaced by wildcard A record. However
> the work-around is not working to the satisfaction of my resolver,
> any idea why?
OK, now I understand. The response is "NODATA", but is should be
"NXDOMAIN". All that the change did was prevent the wildcard CNAME
being returned incorrectly, but the wildcard record is still
incorrectly processed for the query in question, and incorrectly
returns "NODATA", rather than "NXDOMAIN".
So the work-around is not sufficient. The real fix is to get the
nameserver to not apply wildcards to subdomains of existent siblings.
I'll try to find out what nameserer software this is, and if
something mainstream, try to let operators know to avoid it.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
