Any ideas why @Cloudflare is injecting an empty wildcard HINFO RR into all zones they host dns for? That's what's breaking @kubernetesio on @musllibc.
-
-
The presence of the wildcard HINFO is why requests for other RR types yield NODATA rather than NxDomain.
-
No, NODATA means that the name maybe exists, but the requested type for that name does not. It doesn't say anything about a wildcard. You can add DO=1 in the query and read the covered types (or proof of wildcard expansion) from the NSEC record.
-
The underlying problem is that
@Cloudflare is returning NODATA for subdomains that don't exist (that the customer didn't intend to exist) rather than NxDomain. -
I thought I'd diagnosed synthesized wildcard RRs as the mechanism but it seems they may just be an artifact of any-deprecation & my misreading.
-
My bad. But really, DNSSEC’s bad, and it was an intentional trade-off: https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00 …
-
Does Cloudflare have any proposal for how their results should be interpreted/how clients should distinguish between nonexistent domains and domains that just lack a specific record type?
-
Making this distinction is necessary for search domain functionality to work in a consistent manner (i.e. getting data for the same search path component independent of RR type requested).
-
This should be now fixed, can you check on any affected zone? cc
@odintsov_pavel - 2 more replies
New conversation -
-
-
Aren't you confusing it with question section?
-
Maybe I misread it. I'll look again.
-
Do you know what's the DNS client that's having issues with the answer?
-
It interferes with the way
@kubernetesio uses search domains if the resolver imposes reasonable consistency requirements. See this thread: http://www.openwall.com/lists/musl/2018/03/30/12 … -
Thanks, I think I understand why can the NODATA be an issue. I'll see what we can do to change the behavior. The search list algorithm is unfortunately poorly defined https://www.icann.org/en/system/files/files/sac-064-en.pdf …
-
Thanks for taking the time to look at it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.