Moin! On 8 Jan 2025, at 10:11, A. Schulze via dns-operations wrote: > We're looking for reasons result in DMARC validation failures. > One assumption are random failures while fetching DKIM public keys from dns. > > We have CNAMEs pointing to dkim.amazonses.com So I inspected the domain and > notices a DNSVIS warning: > https://dnsviz.net/d/dkim.amazonses.com/Z343qg/dnssec/
Hmm the only warning I get there is: com to amazonses.com: Authoritative AAAA records exist for ns-265.awsdns-33.com, but there are no corresponding AAAA glue records. See RFC 1034, Sec. 4.2.2. Which means no IPv6 glue record for an in zone (com) name server. Not good, especially as ns-265.awsdns-33.com. has an AAAA record, but even without that an IPv6 only host should be able to resolve the domains as there are out of domain servers that haven an IPv6 clean path ( I checked the .org servers, but others may have too). > As this is not a new issue, I don't think, it's the reason for our primary > issue but shouldn't that be fixed anyway? Is this the problem or not? If so I don’t think it is caused by the warning at DNSViz. I agree that it should be fixed, especially as the referral response will not get significantly bigger by adding a single IPv6 glue and is nowhere near a problematic size. So long -Ralf --- Ralf Weber _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
