Re: [dns-operations] Google public DNS sometimes forwards incomplete subset of NSEC RRs

Viktor Dukhovni Fri, 05 Feb 2021 22:23:01 -0800

> On Sep 16, 2020, at 6:31 PM, Viktor Dukhovni <[email protected]> wrote:
> 
> Now it is Google's turn.  I still see an incomplete NSEC3 RRset from 8.8.8.8:
> 
>    $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
>    _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>    runbox.com. IN SOA dns61.copyleft.no. [email protected]. 3000008499 
> 14400 3600 1296000 3600
>    runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 
> runbox.com. <sig>
>    *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>    *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 
> runbox.com. <sig>


I am seeing this issue again, intermittently from various Google
DNS servers.  Here's an example from 8.8.4.4:

  _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
  runbox.com. IN SOA dns61.copyleft.no. [email protected]. 3000008714 
14400 3600 1296000 3600
  runbox.com. IN RRSIG SOA 13 2 86400 20210219161924 20210205144924 12629 
runbox.com. <sig>
  *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
  *.runbox.com. IN RRSIG NSEC 13 2 3600 20210219161924 20210205144924 12629 
runbox.com. <sig>

Or DNSViz (3 of the four public IPs):

  https://dnsviz.net/d/_25._tcp.mx.runbox.com/e/437682/dnssec/

-- 
        Viktor.


_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google public DNS sometimes forwards incomplete subset of NSEC RRs

Reply via email to