7/5/2026 at 5:24:16 PM
Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP. A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer. Since the server is telling you the domain exists, policies about what to do when the domain doesn't exist don't apply.tptacek incoming in 3...2...1...
by pocksuppet
7/5/2026 at 6:07:24 PM
> Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.I feel like we need the angry goose meme here.
"But why are those providers returning incorrect data?"
by growse
7/5/2026 at 6:42:41 PM
> "But why are those providers returning incorrect data?"In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.
These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.
by jeroenhd
7/5/2026 at 6:47:43 PM
So you’re cool with letting anyone walk your DNS?by cdmckay
7/5/2026 at 6:59:44 PM
The problem here is that computing three 3 NSEC3 records as you might need to return an NXDOMAIN was considered too expensive. It's just a choice to reduce their costs while increasing complexity for everyone else.by phicoh
7/5/2026 at 6:57:33 PM
At the time it was well known that messing around with NXDOMAIN would cause problems. But some companies wanted to do it anyhow.The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.
by phicoh
7/5/2026 at 7:24:28 PM
> A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answerThis seems like a major design flaw in DNSSEC, if so.
(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)
by woodruffw