[dns-operations] DNSSEC validation failures for 54.in-addr.arpa

Chris Thompson cet1 at cam.ac.uk
Sat Dec 17 22:48:47 UTC 2011


There seems to be a problem. The DS record in in-addr.arpa:

$ dig +noall +answer +multi ds 54.in-addr.arpa @a.in-addr-servers.arpa
54.in-addr.arpa.        86400 IN DS 63306 5 1 (
                                FEFD230E5FF2A7CB14D820658DBC58EAD326C8EA )

doesn't match any of the DNSKEY records in the zone itself

$ dig +noall +answer +multi dnskey 54.in-addr.arpa @z.arin.net
54.in-addr.arpa.        14400 IN DNSKEY 257 3 5 (
                                BQEAAAABrbjX/Cb7kp9/5vmtmHZo9y0U1FozvbV9ZCEj
                                Y0CbVKrQ8k2XfNR+ETLP/hMrBhTR9unLSDpDAldWjXuW
                                itNImxVg2s03fCVsdRs/eu16NMoFale8Kyzgq5vB1sA+
                                Qsm/rJY3DbDLgIYzg4f3JbteRctBbWR1HMsWROYSAE79
                                SICSwGd8h+Pc+Ea1WmYzZoyLhtZcpIf4wPvogWsRQVpy
                                G8kEGPHTFuJE8O7s9pOq9LLuH/49kPAMmQdVY+U7ho4R
                                KQqhIWP6657xgnInWH5mIziDA1xl9cYt1awXveFLDRGm
                                DmvCctTjVfcClHQO87XGxDh462JN99pwiBP+z+ts9w==
                                ) ; key id = 64806
54.in-addr.arpa.        14400 IN DNSKEY 256 3 5 (
                                BQEAAAABugs0Ryy9py2fOCWVbEdJg/WI7yV2TIwyCzyf
                                q+wCxTINWfx0zoQ0hZubEz0Eh/WBd0JiwJRVyGGZjnGT
                                0dFQhfrxpBvEaaR1Rvaa9dtVzn8qXPWKxmdUkNIwi0Uo
                                6SECCysgX3JGI9T9hbTAIOtDqubcnJLXhzlAnkiFC0Lx
                                EcU=
                                ) ; key id = 64967

http://dnssec-debugger.verisignlabs.com/54.in-addr.arpa agrees.

[Cc'd to dns-ops at arin.net, nstld at iana.org]

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.


More information about the dns-operations mailing list