havedane dns issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

havedane dns issues

Thilo Molitor
Anybody on this list having contact to the maintainer / webmaster of
havedane.net ?
It's having dns issues when the TLSA record is queried with qname minimization
active (RFC 7186).
This is a bug in the dns server or dnssec signer and should be fixed.
Otherwise false negatives are generated!

See this dnsviz link for a description of what is wrong: http://dnsviz.net/d/
_25._tcp.do.havedane.net/dnssec/

- tmolitor
Reply | Threaded
Open this post in threaded view
|

Re: havedane dns issues

Viktor Dukhovni
On Sun, Jun 23, 2019 at 02:10:39AM +0200, Thilo Molitor wrote:

> Anybody on this list having contact to the maintainer / webmaster of
> havedane.net ?

I just sent an email via the contact form.

> It's having dns issues when the TLSA record is queried with qname minimization
> active (RFC 7186).
> This is a bug in the dns server or dnssec signer and should be fixed.
> Otherwise false negatives are generated!

Yes, incorrect handling of empty-non-terminals.  I don't enable
qname minimization on the unbound instance on my MTA.  Still tends
to run into bugs like this now and then.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: havedane dns issues

Thilo Molitor
> I just sent an email via the contact form.
Thanks!

> Yes, incorrect handling of empty-non-terminals.  I don't enable
> qname minimization on the unbound instance on my MTA.  Still tends
> to run into bugs like this now and then.
Yes, I now also disabled it.

- tmolitor