As reported earlier... On Mon, Mar 30, 2020 at 01:19:21AM -0400, Viktor Dukhovni wrote:
> The authoritative servers look fine to me and DNSViz: > > https://dnsviz.net/d/_25._tcp.yellow.xy1.nl/XoF-Kg/dnssec/ > > but, Cloudflare alone among the big four public DNS services returns > ServFail, along with most of the answer (sans DNAME RR): > > Mangled: > @1.1.1.1 > @1.0.0.1 > _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; ServFail AD=0 > _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; ServFail AD=0 > _dane.xy1.nl. IN TLSA 2 1 1 <...> ; ServFail AD=0 > > Correct: > @8.8.8.8 > @8.8.4.4 > _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1 > _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1 > _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1 > _dane.xy1.nl. IN TLSA 2 1 1 <...> ; NoError AD=1 On Tue, Mar 24, 2020 at 02:39:24AM -0400, Viktor Dukhovni wrote: > army.mil (lots of dots in the first rname label): > > Mangled: > $ dig +dnssec -t soa +noall +ans +add army.mil @64.6.64.6 > army.mil. IN SOA ns01.army.mil. > usarmy.huachuca.netcom.mesg.epdns-global.mail.mil. <...> > army.mil. IN RRSIG SOA 8 2 3600 20200328054853 20200324044853 51378 > army.mil. <...> > > Correct: > $ dig +dnssec -t soa +noall +ans +add army.mil @8.8.8.8 > army.mil. IN SOA ns01.army.mil. > usarmy\.huachuca\.netcom\.mesg\.epdns-global.mail.mil. <...> > army.mil. IN RRSIG SOA 8 2 3600 20200328061900 20200324051900 51378 > army.mil. <...> It would be great to get a sense of the timeline for getting these issues addressed. Both can impact email delivery to the affected domains when the public resolvers in question are used as forwarders and TLSA lookups fail. -- Viktor. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
