This is being addressed. Thanks.
-- Brian L. King ([email protected]<mailto:[email protected]>) Senior Linux/DNS Systems Administrator, Go Daddy AZ time zone (http://x.co/aztime) :wq! On Sun, 2019-12-01 at 14:55 -0500, Viktor Dukhovni wrote: [ This is still unresolved since the original post on Nov 24th, now at least 289 affected TLSA RRsets in 255 domains. Updated details at: <https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html> https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html ] The NSEC3 denial of existence for the TLSA records of at least 202 MX hosts (in 178 domains) is bogus, because the QNAME (or sometimes the wildcard if the qname is covered "by accident") is not covered by any NSEC3 RR. In the below example (RRSIGs elided), the sole NSEC3 RR only covers the zone apex: [snip] -- Viktor.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
