[dns-operations] IANA testbed problem
george.barwood at blueyonder.co.uk
Thu Apr 8 15:40:32 UTC 2010
The IANA testbed ( https://ns.iana.org/dnssec/status.html ) seems to respond incorrectly to queries for DS iana.org
It should act as a (test) signed root, with one of the root servers being
ns.iana.org. 3600 IN A 220.127.116.11
The response to
>dig ds iana.org @18.104.22.168
should ( I think) be a referral to the org servers, since the DS RRset is served by the parent zone.
However, the actual response is an authoritative NoData response,
iana.org. 3600 IN SOA dns1.icann.org. hostmaster.icann
i.e. it is coming from the iana.org zone rather than the root zone.
Am I being stupid, or is this a bug?
It can lead to authentication errors if the org zone has not yet been discovered
by the resolver, e.g. if the first query is for ns.iana.org
More information about the dns-operations