pocksuppet
an hour ago
Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP. A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer. Since the server is telling you the domain exists, policies about what to do when the domain doesn't exist don't apply.
tptacek incoming in 3...2...1...
growse
41 minutes ago
> Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.
I feel like we need the angry goose meme here.
"But why are those providers returning incorrect data?"
jeroenhd
6 minutes ago
> "But why are those providers returning incorrect data?"
In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.
These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.
cdmckay
a minute ago
So you’re cool with letting anyone walk your DNS?