Closed khibino closed 1 year ago
The DS chain is not followed correctly when child zones are co-located and the apex of the child zone has an A record
% dig @ns3.cloudflare.com. cloudflare.com. SOA ... ;; ANSWER SECTION: cloudflare.com. 300 IN SOA ns3.cloudflare.com. dns.cloudflare.com. 2323140067 10000 2400 604800 300 ... % dig @ns3.cloudflare.com. www.cloudflare.com. SOA ... ;; ANSWER SECTION: www.cloudflare.com. 1800 IN SOA jule.ns.cloudflare.com. dns.cloudflare.com. 2323040015 10000 2400 604800 1800 ...
Both cloudflare.com zone and www.cloudflare.com. zone is hold in ns3.cloudflare.com
cloudflare.com
www.cloudflare.com.
ns3.cloudflare.com
DS chain cloudflare.com -> www.cloudflare.com. is not followed
cloudflare.com -> www.cloudflare.com.
% dug -i --demo www.cloudflare.com. MX ... delegation - verification success - RRSIG of DS: "com." -> "cloudflare.com." ... no delegation: "cloudflare.com." -> "www.cloudflare.com." ... cacheSectionNegative: no SOA records found with zone="cloudflare.com.", domain="www.cloudflare.com." under zone="cloudflare.com.": SOA records in authority section: ResourceRecord {rrname = "www.cloudflare.com.", rrtype = SOA, rrclass = IN, rrttl = 1800(30 mins), rdata = RD_SOA {soa_mname = "jule.ns.cloudflare.com.", soa_rname = "dns@cloudflare.com.", soa_serial = 2323040015, soa_refresh = 10000(2 hours), soa_retry = 2400(40 mins), soa_expire = 604800(7 days), soa_minimum = 1800(30 mins)}} ...
resolved by https://github.com/kazu-yamamoto/dnsext/commit/c7e4b3a23da5c08f28be06d5e4cf1f1aef992ebc
khibino
commented
1 year ago khibino
commented
1 year ago
The DS chain is not followed correctly when child zones are co-located and the apex of the child zone has an A record
Both
cloudflare.comzone andwww.cloudflare.com.zone is hold inns3.cloudflare.comDS chain
cloudflare.com -> www.cloudflare.com.is not followed