Subtle DNS problems to avoid...

Viktor Dukhovni ietf-dane at
Sun Sep 27 19:04:08 CEST 2015

Some of the domains I've tested exhibit sporadic TLSA record DNS
lookup errors, with some of the domain's nameservers working fine,
and others not so well.  DANE mail to these sites gets through
eventually, but perhaps with some delay.  You can see some of the
problems at the URLs below:

Problems include:

    * Warnings about glue NS records differing from authoritative NS
      records (some of the "extra" nameservers don't support DNSSEC,
      refuse service, ...).

    * Warnings about likely UDP fragmentation problems (no response
      unless EDNS0 payload is reduced).

    * Some nameservers reachable only via TCP

    * Some nameservers refusing service for the domain

    * Some nameservers not returning NSEC or NSEC3 records with
      denial of existence.

    * Some nameservers returning the wrong or partial NSEC3 records,
      failing to take into account intermediate domains between
      the zone apex and the qname.

    * Some nameservers returning nonsense NSEC records

    * Expired RRSIGs on a subset of the nameservers.

    * NODATA instead of NXDOMAIN for a subset of the nameservers.

    * NSEC records with no RRSIG for a subset of the nameservers.

Bottom line, please check your DNS from time to time.  Even if mail
is getting through, and DANE tests report success, there may be
some latent problems.

And if anyone on this list owns the above domains, or knows the
responsible parties, please correct your DNS or reach out to
your contacts.


More information about the dane-users mailing list