[dns-operations] [DNSSEC] A "lame" DS record: operational problem or not?

Casey Deccio casey at deccio.net
Tue Sep 14 18:51:07 UTC 2010


On Tue, Sep 14, 2010 at 6:18 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> I recently saw  a "lame" DS record in the root (a DS which goes to a
> non-existing key):
>
> be.                     73924   IN      DS      3961 8 1 30FC582FE64CA122064D92FF6DF3EC8383A1E987
> be.                     73924   IN      DS      3961 8 2 72863CE93E5D4CEFE529D32BE7484056442DEA804D8F0769522CDB18 1C86F0E5
>
> Key 3961 is not published (see it graphically at
> <http://dnsviz.net/d/be/dnssec/>).
>

Regarding DNSViz output... Note that although DNSViz reports the
"dangling" DS RR as "Bogus", this configuration is in fact legitimate,
as Olafur previously wrote, because another DS RR exists, which has a
valid match to a DNSKEY in be.  That is why the "delegation status" of
"." to "be" is "secure", rather than "bogus" (which would be the case
if none of the DS RRs matched up with DNSKEYs).

The "bogus" designation of the dangling DS was the result of an
attempt in the initial deployment of DNSViz to limit the "categories"
on the left-hand side to a few meaningful categories.  Understandably,
placing this in the "bogus" category is confusing for the
user/administrator, even with the delegation listed as "secure".
Olafur brought this to my attention earlier in the summer, and I've
been working on a number of changes to DNSViz, one of which is a
revamp of the categorization, including this particular issue.
(However, this set of changes has dragged out over several months
now.)  Anyway, ultimately this will be more of a "warning" or
"attention" than the "error" or "bogus" message it currently conveys.

Feedback on this particular tool is always welcome.

Best regards,
Casey



More information about the dns-operations mailing list