Skip result of TLSA lookups for bad nameservers

[buffrr]

Some nameservers timeout or return SERVFAIL for any record type they don't understand

An example of such a server found in the wild (at the time of writing)

dig @dns1.tribpub.com _443._tcp.www.chicagotribune.com tlsa

This nameserver doesn't even understand DNSSEC, but a recursive DNSSEC resolver will return SERVFAIL in this case which is not an acceptable answer for DANE and the website breaks.

A DANE client should not expect that all nameservers will answer reliably for the TLSA record type.

To avoid breaking services that use such nameservers, we should:

• Determine if either A or AAAA records of the host are in a DNSSEC-signed zone
• If the zone is unsigned, it's safe to skip result of the TLSA lookup without risking a downgrade attack.

Credits to @vdukhovni for telling me about this idea