Any ideas why @Cloudflare is injecting an empty wildcard HINFO RR into all zones they host dns for? That's what's breaking @kubernetesio on @musllibc.
No, still trying to figure out why they're doing this. But the wildcard HINFO is visible w/o an any query.
-
-
For example, host -t 13 http://foo.cloudflare.com http://ns3.cloudflare.com
-
That's not an injection, it returns a NODATA answer.
-
For type HINFO it's not NODATA, it's an empty (1-byte nul) HINFO RR.
-
The presence of the wildcard HINFO is why requests for other RR types yield NODATA rather than NxDomain.
-
No, NODATA means that the name maybe exists, but the requested type for that name does not. It doesn't say anything about a wildcard. You can add DO=1 in the query and read the covered types (or proof of wildcard expansion) from the NSEC record.
-
The underlying problem is that
@Cloudflare is returning NODATA for subdomains that don't exist (that the customer didn't intend to exist) rather than NxDomain. -
I thought I'd diagnosed synthesized wildcard RRs as the mechanism but it seems they may just be an artifact of any-deprecation & my misreading.
-
My bad. But really, DNSSEC’s bad, and it was an intentional trade-off: https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00 …
- 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.