8 Dec
2021
8 Dec
'21
9:22 a.m.
Den 08-12-2021 kl. 14:35 skrev Marco Davids (Private) via NANOG:
Hi Laura,
Something seems the matter, indeed:
https://dnsviz.net/d/european-union.europa.eu/YbCzrQ/dnssec/
It's weird; 1.1.1.1 resolves, 8.8.8.8 and 9.9.9.9 return SERVFAIL.
It is my understanding that the CNAME should never have been followed, since there isn't any covering RRSIG for the actual CNAME, exactly as the elaborative message on dnsviz.net claims. As such, the CNAME record cannot be verified to be authentic. To me, that part of it also points towards a broken implementation at CloudFlare, letting a bogus (insecure) responses take effect anyway. -- Med venlig hilsen / Kind regards, Arne Jensen