Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

• Previous message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Next message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Den 08-12-2021 kl. 14:35 skrev Marco Davids (Private) via NANOG:
> Hi Laura,
>
> Something seems the matter, indeed:
>
> https://dnsviz.net/d/european-union.europa.eu/YbCzrQ/dnssec/
>
> It's weird; 1.1.1.1 resolves, 8.8.8.8 and 9.9.9.9 return SERVFAIL.
>
It is my understanding that the CNAME should never have been followed, 
since there isn't any covering RRSIG for the actual CNAME, exactly as 
the elaborative message on dnsviz.net claims.

As such, the CNAME record cannot be verified to be authentic.

To me, that part of it also points towards a broken implementation at 
CloudFlare, letting a bogus (insecure) responses take effect anyway.

-- 
Med venlig hilsen / Kind regards,
Arne Jensen

• Previous message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Next message (by thread): Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]