[dns-operations] It's begun...

Mark Andrews marka at isc.org
Thu Oct 24 13:51:09 UTC 2013


It helps to return the NSEC3 record that proves that the
wildcard name does not exist.

25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: in authvalidated
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: resuming nsecvalidate
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: looking for relevant NSEC3
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: looking for relevant NSEC3
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 proves name does not exist: 'www.xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 indicates potential closest encloser: 'xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 at super-domain xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: in checkwildcard: *.xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: looking for relevant NSEC3
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 at super-domain xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: in checkwildcard: *.xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: nonexistence proof(s) not found
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: checking existence of DS at 'xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: checking existence of DS at 'www.xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: continuing validation would lead to deadlock: aborting validation
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: deadlock found (create_validator)


In message <CE8E9611.39370%york at isoc.org>, Dan York writes:
> On 10/24/13 9:12 AM, "Chris Thompson" <cet1 at cam.ac.uk> wrote:
> 
> 
> >At 13:01 23-10-2013, Edward Lewis wrote:
> >>My sensors show 4 new gTLDs in the last hour or so...IDN,
> >>non-ccTLD...added between 1800 and 1900 UTC.
> >
> >Not mentioned yet is that all four appeared already signed and with
> >DS records in the root zone.
> 
> Funny you should mention that... I just published a post this morning
> promoting that fact:
> 
> http://www.internetsociety.org/deploy360/blog/2013/10/4-newgtlds-launched-y
> esterday-marks-dawn-of-dnssec-from-the-start-tlds/
> 
> 
> >From a DNSSEC-advocacy point of view, this is a great step forward as all
> new domains registered under these newgTLDs will at least have the
> *option* of being secured by DNSSEC.
> 
> >But... the two Cyrillic gTLDs (xn--80asehdb & xn--80aswg) are a bit
> >broken, in that NXDOMAIN responses don't validate properly. Neither
> >dnssec-debugger.verisignlabs.com nor dnsviz.net are able to analyse
> >validations problems for NXDOMAIN responses, so I am not quite sure
> >why yet, but e.g.
> >
> >  dig +dnssec www.xn--80asehdb.
> >  dig +dnssec www.xn--80aswg.
> >
> >give SERVFAILs which can be avoided by adding the +cd option.
> 
> Hmmm... interesting.  Perhaps some work is still needed on the operational
> front there...
> 
> Dan
> 
> --
> Dan York
> Senior Content Strategist, Internet Society
> york at isoc.org <mailto:york at isoc.org>   +1-802-735-1624
> Jabber: york at jabber.isoc.org <mailto:york at jabber.isoc.org>
> Skype: danyork   http://twitter.com/danyork
> 
> http://www.internetsociety.org/deploy360/ 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the dns-operations mailing list