nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

From: Arne Jensen <darkdevil () darkdevil dk>
Date: Wed, 8 Dec 2021 15:22:07 +0100
Den 08-12-2021 kl. 14:35 skrev Marco Davids (Private) via NANOG:

Hi Laura,

Something seems the matter, indeed:

https://dnsviz.net/d/european-union.europa.eu/YbCzrQ/dnssec/

It's weird; 1.1.1.1 resolves, 8.8.8.8 and 9.9.9.9 return SERVFAIL.
It is my understanding that the CNAME should never have been followed, since there isn't any covering RRSIG for the actual CNAME, exactly as the elaborative message on dnsviz.net claims. 

As such, the CNAME record cannot be verified to be authentic.
To me, that part of it also points towards a broken implementation at CloudFlare, letting a bogus (insecure) responses take effect anyway. 

--
Med venlig hilsen / Kind regards,
Arne Jensen
Previous By Date Next
Previous By Thread Next

Current thread: