On 03/04/2025 15:17, Bastian Blank via mailop wrote:
That's why example.{com,net,org}[RFC2606] exists. No need to guess
then. xxx.com on the other side is a pretty valid domain.
Fair point, noted.
Here's a real example, using an organization that is listed publicly as a
Proofpoint customer:
IN CNAME _dmarc.gcu.edu.dmarc.has.pphosted.com.
This looks pretty broken to begin with, but unrelated to the problem at
question:
https://dnsviz.net/d/_dmarc.gcu.edu.dmarc.has.pphosted.com/dnssec/
Thanks - that's a really useful website. I note that it states the
following error:
A query for _dmarc.gcu.edu.dmarc.has.pphosted.com results in a NOERROR
response, while a query for its ancestor, edu.dmarc.has.pphosted.com,
returns a name error (NXDOMAIN), which indicates that subdomains of
edu.dmarc.has.pphosted.com, including
_dmarc.gcu.edu.dmarc.has.pphosted.com, don't exist. See RFC 8020, Sec. 2.
I'm not sure that's related, but it surely doesn't help.
Which is weird, as this server behaves like a PowerDNS in online signing
mode (all signatures are valid from thursday to thursday three weeks
later and every server returns a different one).
I'll see if I can get our client to raise a ticket with Proofpoint -
they are a Proofpoint customer as well.
Andy
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
