Any ideas why @Cloudflare is injecting an empty wildcard HINFO RR into all zones they host dns for? That's what's breaking @kubernetesio on @musllibc.
The presence of the wildcard HINFO is why requests for other RR types yield NODATA rather than NxDomain.
-
-
No, NODATA means that the name maybe exists, but the requested type for that name does not. It doesn't say anything about a wildcard. You can add DO=1 in the query and read the covered types (or proof of wildcard expansion) from the NSEC record.
-
The underlying problem is that
@Cloudflare is returning NODATA for subdomains that don't exist (that the customer didn't intend to exist) rather than NxDomain. -
I thought I'd diagnosed synthesized wildcard RRs as the mechanism but it seems they may just be an artifact of any-deprecation & my misreading.
-
My bad. But really, DNSSEC’s bad, and it was an intentional trade-off: https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00 …
-
Does Cloudflare have any proposal for how their results should be interpreted/how clients should distinguish between nonexistent domains and domains that just lack a specific record type?
-
Making this distinction is necessary for search domain functionality to work in a consistent manner (i.e. getting data for the same search path component independent of RR type requested).
-
This should be now fixed, can you check on any affected zone? cc
@odintsov_pavel -
Tried http://foo.cloudflare.com , seems fixed when querying http://ns3.cloudflare.com directly, but not yet propagated everywhere. Thanks!
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.