Remix.run Logo
growse an hour ago

> Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.

I feel like we need the angry goose meme here.

"But why are those providers returning incorrect data?"

jeroenhd an hour ago | parent [-]

> "But why are those providers returning incorrect data?"

In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.

These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.

cdmckay 41 minutes ago | parent [-]

So you’re cool with letting anyone walk your DNS?

phicoh 29 minutes ago | parent [-]

The problem here is that computing three 3 NSEC3 records as you might need to return an NXDOMAIN was considered too expensive. It's just a choice to reduce their costs while increasing complexity for everyone else.