[dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov

Mark Andrews marka at isc.org
Wed Oct 19 01:10:54 UTC 2022 


> On 18 Oct 2022, at 17:02, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Mon, Oct 17, 2022 at 09:52:43PM -0700, cjc+dns-oarc at pumpky.net wrote:
> 
>> Having some problems resolving qa.ws.igt.fiscal.treasury.gov. There is 
>> pretty clearly a problem,
>> 
>> https://dnsviz.net/d/qa.ws.igt.fiscal.treasury.gov/dnssec/
> 
> DNSViz struggles to display this properly, because the same underlying
> nameservers serve both the parent and child zone, and instead of
> referrals serves authoritative data from the child.  However, the
> parent zone is signed, and the child zone is not.  A resolver
> expecting signed answers from the parent sees unsigned answers
> instead and is liable to get confused.
> 
>> What it looks like to me is that everything [below] fiscal.treasury.gov is 
>> supposed to be insecure (unsigned). There is a zone cut at 
>> fiscal.treasury.gov, but it is not properly delegated in DNSSEC. The 
>> servers are signing above the cut with the treasury.gov ZSK, but there 
>> are no DS records in the parent or the DNSKEY records in the 
>> fiscal.treasury.gov apex. Thus, the responses are seen as BOGUS.
> 
> Close, but not quite.  Explicit DS queries to the parent in fact
> elicit a valid denial of existence:
> 
>    $ dig +dnssec -t ds fiscal.treasury.gov @ns1.treasury.gov +norecur +nocl +nottl +noall +nocrypto +question +ans +auth
>    ;fiscal.treasury.gov.   IN DS
>    treasury.gov.           SOA     ns1.treasury.gov. ecb-hosting.fiscal.treasury.gov. 2001180551 3600 900 1209600 900
>    treasury.gov.           RRSIG   SOA 7 2 900 20221022031023 20221015021023 3908 treasury.gov. [omitted]
>    4u954er66u6qum644o2088ircof2kt1g.treasury.gov. NSEC3 1 0 1 DADE5BC724805E45 4U954ER66U6QUM644O2088IRCOF2KT1H NS RRSIG
>    4u954er66u6qum644o2088ircof2kt1g.treasury.gov. RRSIG NSEC3 7 3 900 20221025022736 20221018012736 3908 treasury.gov. [omitted]

Actually the bit map is incorrect RRSIG should not be present unless the DS is present.  An insecure delegation only has NS where as a secure delegation has NS, DS and RRSIG.  The exception to this is
when there is a KEY RRset present (yes, they can exist on the parent and child sides of a delegation
independently of each other). 

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list