Slack.com DNSSEC on Feb 12th 15:00 UTC

• Previous message (by thread): Slack.com DNSSEC on Feb 12th 15:00 UTC
• Next message (by thread): Weekly Global IPv4 Routing Table Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 4, 2022 at 11:18 AM William Herrin <bill at herrin.us> wrote:

> On Fri, Feb 4, 2022 at 7:55 AM Bjørn Mork <bjorn at mork.no> wrote:
> > So why the heck do you insist on keeping that wildcard?  Nobody else use
> > wildcard A records.  There is no reason.  It's a loaded footgun.
>
> Okay... I know some of the bad things that can happen with CNAMEs.
> What exactly is the problem with wildcard A records and DNSSEC?
>

There is no problem with wildcards and DNSSEC.

It was a subtle bug in a particular DNS server implementation (Route53),
where wildcard NODATA responses were being returned with an incorrect
type bitmap in the NSEC record. This caused some DNS resolver
implementations that do aggressive negative caching (with RR type
inference) to fail to lookup some subsequent record types. (That bug is
now fixed).

Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220204/f26d942a/attachment.html>

• Previous message (by thread): Slack.com DNSSEC on Feb 12th 15:00 UTC
• Next message (by thread): Weekly Global IPv4 Routing Table Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]