[dns-operations] DNSSEC Failure w/IPv6 PTRs?

Sun May 15 23:02:59 UTC 2011

I've passed this on to the DNS team at ICANN, so it should hopefully be
fixed shortly.

Regards,

Anand Buddhdev
RIPE NCC

On 16/05/2011 00:41, Simon Leinen wrote:

> Mark Kamichoff writes:
>> I'm observing what seems to be a DNSSEC-related problem with resolving
>> IPv6 PTRs from DNSSEC validating servers, today.  [...]
> 
>> Are other folks experiencing these problems, or is it just me?
> 
> It's not just you.  Earlier today, a colleague complained that SSH
> logins to our servers over IPv6 were slow.  This turned out to be due to
> slow/broken inverse lookups of IPv6 addresses.
> 
>> Not sure when this started, but I can replicate it from a view
>> different locations.
> 
> Log messages about some subzones of ip6.arpa started at around 03:36 UTC
> today (our timestamps are in MET DST, UTC+0200):
> 
> 15-May-2011 05:36:47.793 validating @0x7fd468fc9350: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:47.987 validating @0x7fd470d6ca20: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:48.007 validating @0x7fd4701ba5b0: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:48.362 validating @0x7fd47034fe60: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:48.519 validating @0x7fd4702cbe20: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:48.750 validating @0x7fd468fc9350: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:48.850 validating @0x7fd468fc9350: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:49.076 validating @0x20471a0: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:49.097 validating @0x7fd4701ba5b0: 0.a.2.ip6.arpa DS: no valid signature found
> 15-May-2011 05:36:49.430 validating @0x7fd470d6ca20: 0.a.2.ip6.arpa DS: no valid signature found
> 
> On ip6.arpa proper, the messages started a bit later, around 06:17 UTC:
> 
> 15-May-2011 08:17:32.581   validating @0x7fd46896e150: ip6.arpa SOA: got insecure response; parent indicates it should be secure
> 15-May-2011 10:52:03.595   validating @0x7fd468fcd5e0: ip6.arpa SOA: got insecure response; parent indicates it should be secure
> 15-May-2011 11:23:12.176 validating @0x7fd468becfc0: ip6.arpa DNSKEY: no valid signature found (DS)
> 15-May-2011 11:23:12.197 validating @0x7fd470e12c50: ip6.arpa DNSKEY: no valid signature found (DS)
> 15-May-2011 11:23:12.334 validating @0x317bdc0: ip6.arpa DNSKEY: no valid signature found (DS)
> 15-May-2011 11:23:12.551 validating @0x7fd468becfc0: ip6.arpa DNSKEY: no valid signature found (DS)
> 15-May-2011 11:23:12.792 validating @0x7fd471903670: ip6.arpa DNSKEY: no valid signature found (DS)
> 15-May-2011 11:23:13.699 validating @0x2198710: ip6.arpa DNSKEY: no valid signature found (DS)
> 15-May-2011 11:23:13.720 validating @0x7fd468becfc0: ip6.arpa DNSKEY: no valid signature found (DS)
> 
> It would be nice if someone could fix this.