nanog mailing list archives
Re: Slack.com DNSSEC on Feb 12th 15:00 UTC
From: Shumon Huque <shuque () gmail com>
Date: Fri, 4 Feb 2022 11:55:50 -0500
On Fri, Feb 4, 2022 at 11:18 AM William Herrin <bill () herrin us> wrote:
On Fri, Feb 4, 2022 at 7:55 AM Bjørn Mork <bjorn () mork no> wrote:So why the heck do you insist on keeping that wildcard? Nobody else use wildcard A records. There is no reason. It's a loaded footgun.Okay... I know some of the bad things that can happen with CNAMEs. What exactly is the problem with wildcard A records and DNSSEC?
There is no problem with wildcards and DNSSEC. It was a subtle bug in a particular DNS server implementation (Route53), where wildcard NODATA responses were being returned with an incorrect type bitmap in the NSEC record. This caused some DNS resolver implementations that do aggressive negative caching (with RR type inference) to fail to lookup some subsequent record types. (That bug is now fixed). Shumon Huque
Current thread:
- Re: Slack.com DNSSEC on Feb 12th 15:00 UTC, (continued)
- Re: Slack.com DNSSEC on Feb 12th 15:00 UTC Bjørn Mork (Feb 04)
- Re: Slack.com DNSSEC on Feb 12th 15:00 UTC Christopher Morrow (Feb 04)
- Re: Slack.com DNSSEC on Feb 12th 15:00 UTC Peter Beckman (Feb 04)
- Re: Slack.com DNSSEC on Feb 12th 15: 00 UTC John Levine (Feb 04)
- Simplified BGP peering solution Josh Saul (Feb 07)
- Re: Simplified BGP peering solution Laura Smith via NANOG (Feb 07)
- Re: Simplified BGP peering solution Mike Hammett (Feb 07)
- Re: Simplified BGP peering solution Jon Lewis (Feb 07)
- RE: Simplified BGP peering solution Adam Thompson (Feb 07)
- Re: Slack.com DNSSEC on Feb 12th 15:00 UTC Christopher Morrow (Feb 04)
- Re: Slack.com DNSSEC on Feb 12th 15:00 UTC Bjørn Mork (Feb 04)
- Re: Slack.com DNSSEC on Feb 12th 15:00 UTC Shumon Huque (Feb 04)