Slack.com DNSSEC on Feb 12th 15:00 UTC
Shumon Huque
shuque at gmail.com
Fri Feb 4 16:55:50 UTC 2022
On Fri, Feb 4, 2022 at 11:18 AM William Herrin <bill at herrin.us> wrote:
> On Fri, Feb 4, 2022 at 7:55 AM Bjørn Mork <bjorn at mork.no> wrote:
> > So why the heck do you insist on keeping that wildcard? Nobody else use
> > wildcard A records. There is no reason. It's a loaded footgun.
>
> Okay... I know some of the bad things that can happen with CNAMEs.
> What exactly is the problem with wildcard A records and DNSSEC?
>
There is no problem with wildcards and DNSSEC.
It was a subtle bug in a particular DNS server implementation (Route53),
where wildcard NODATA responses were being returned with an incorrect
type bitmap in the NSEC record. This caused some DNS resolver
implementations that do aggressive negative caching (with RR type
inference) to fail to lookup some subsequent record types. (That bug is
now fixed).
Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220204/f26d942a/attachment.html>
More information about the NANOG
mailing list