1 comments

  • pocksuppet13 minutes ago
    Summary: it&#x27;s not DNSSEC itself, it&#x27;s DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP. A DNSSEC signature for &quot;this domain doesn&#x27;t exist&quot; is much longer than a DNSSEC signature for &quot;this domain exists, but doesn&#x27;t have the type of record you asked for&quot; so these providers choose to always return the latter type of answer. Since the server is telling you the domain exists, policies about what to do when the domain doesn&#x27;t exist don&#x27;t apply.<p>tptacek incoming in 3...2...1...