Hi,
On Wed, Sep 29, 2021 at 14:56 Viktor Dukhovni <[email protected]> wrote: > On Wed, Sep 29, 2021 at 02:33:42PM -0700, Vicky Shrestha wrote: > > > > For some reason CloudFlare's auth servers are failing to return > > > a non-error reply for (at least): > > > > > > https://dnsviz.net/d/_25._tcp.mail1.gearnetwork.de/YU_q9g/dnssec/ > > > https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/YVC-8g/dnssec/ > > > > Thanks Victor for bringing this to our attention. Both of these records > > have invalid TLSA rdata. We are rolling out a fix to validate this in our > > API and will be reaching out to our customers to fix them. API Validation has been added and rolled out to production. Thanks again for reporting this issue. > > > Thanks, much appreciated! > > While I've been less than enthusiastic on this list about iterative > nameservers (recursive resolvers) doing RDATA syntax validation, doing > such validation at the authoritative servers is less objectionable, and > I fully support RDATA validation when done before records are added to > the zone. > > Compile-time type checks sure beat runtime errors. > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > -- With Regards, Vicky Shrestha
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
