* Vladimír Čunát: > (I don't react to the SERVFAIL from CloudFlare auth.) > > On 4/19/20 8:55 AM, Viktor Dukhovni wrote: >> the NSEC RR promises TLSA records, among a rather oddball mix of >> other rrtypes > > I believe that's normal for CloudFlare authoritatives, and so far I've > noticed no real problems from that, apart from effects like less > efficient caching. Description: > https://blog.cloudflare.com/black-lies/#dnsshotgun
For me, queries to alla.ns.cloudflare.com for _25._tcp.mx01.mx-hosting.ch/IN/TLSA time out (even over TCP). That breaks denial of existence and thus DANE. There is no obvious client-side workaround because the NSEC RRset says that the TLSA RRset exists. Could this work if the authoriative server returned an RRSIG signature of an empty TLSA RRset? _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
