upvote
> Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.

I feel like we need the angry goose meme here.

"But why are those providers returning incorrect data?"

reply
> "But why are those providers returning incorrect data?"

In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.

These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.

reply
Cloudflare is well known for breaking DNS standards whenever they feel like it; they’re too big to ignore, so they get away with murder.
reply
So you’re cool with letting anyone walk your DNS?
reply
The problem here is that computing three 3 NSEC3 records as you might need to return an NXDOMAIN was considered too expensive. It's just a choice to reduce their costs while increasing complexity for everyone else.
reply
At the time it was well known that messing around with NXDOMAIN would cause problems. But some companies wanted to do it anyhow.

The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.

reply
> A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer

This seems like a major design flaw in DNSSEC, if so.

(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)

reply
Most of the time people are not asking for domains which don't resolve. Also, think about what DNSSEC is actually having to do when signing an NXDOMAIN. It needs to prove a negative with offline signing keys, DNSSEC does this by basically making a linked list of each zone and signing the links.
reply
It's doing that because the protocol was designed for offline signers, which in turn was a result of a folk belief in the 1990s that computers wouldn't be fast enough to do online signing.
reply