[dns-operations] DNSSEC at ICANN: still no check?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Feb 18 08:18:48 UTC 2014


On Mon, Jan 20, 2014 at 04:37:50PM +0000,
 ? Roy Arends <roy at dnss.ec> wrote 
 a message of 97 lines which said:

> The problem is indeed the absence of type NS in the type bit maps, as you (and Peter van
> Dijk) showed in your previous mail.

Experience being useless, nobody fixed the bug or the pre-delegation
tests: .pink is now broken because of the same bug. Its name servers
are all in an unprovably unsigned zone, nic.pink.

% dig @65.22.29.17 DS nic.pink     

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @65.22.29.17 DS nic.pink
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3416
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nic.pink.		IN DS

;; AUTHORITY SECTION:
pink.			900 IN SOA a0.black.afilias-nst.info. noc.afilias-nst.info. (
				1000000085 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				2764800    ; expire (4 weeks 4 days)
				900        ; minimum (15 minutes)
				)
pink.			900 IN RRSIG SOA 7 1 86400 20140311032041 (
				20140218022041 65303 pink.
				Fyoq1vCQI49jU61bgYh9LtCvGIFw02oxAyDL4ND/yW6z
				8d/nLlhOsqK61FAd7k+OJUc/RoejKOTV21n6GByiDegf
				84vx3jQ7dZqLAwJrezF/h7PQt4qrLtd970SWmH7e8WZR
				LS8RcCNaDmt1lCbIU0CatwihZnc0f82Obvo4or4= )
0lhcnkbbjmrh3ri49muqj8f9uagkmsk9.pink. 900 IN NSEC3 1 1 1 D399EAAB 0Q3SVKDP4MTUL3F9048GS80BPRKKFTB6
0lhcnkbbjmrh3ri49muqj8f9uagkmsk9.pink. 900 IN RRSIG NSEC3 7 2 900 20140311032041 (
				20140218022041 65303 pink.
				0jh1Q4zeJqgodYSRCmiEbGSRLuNuxp8F8DZYRPsW49qg
				pALHB5SSBmteMlBziHGGic/0MZGELGhejPZdWGvlXOsS
				hpAvPbxfyDkKG1ChTYtaItEh9PaV7sUcE33oZwEMc+PE
				3WIXbeCUIA+mwM4mxEmB6QVN2+4x+NfQ/zBwduQ= )

;; Query time: 121 msec
;; SERVER: 65.22.29.17#53(65.22.29.17)
;; WHEN: Tue Feb 18 09:15:32 2014
;; MSG SIZE  rcvd: 505

Only one NSEC3, for nic.pink ("nsec3hash D399EAAB 1 1 nic.pink") but
with an empty typemap.


More information about the dns-operations mailing list