[dns-operations] DNSSEC at ICANN: still no check?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Feb 18 08:18:48 UTC 2014
On Mon, Jan 20, 2014 at 04:37:50PM +0000,
? Roy Arends <roy at dnss.ec> wrote
a message of 97 lines which said:
> The problem is indeed the absence of type NS in the type bit maps, as you (and Peter van
> Dijk) showed in your previous mail.
Experience being useless, nobody fixed the bug or the pre-delegation
tests: .pink is now broken because of the same bug. Its name servers
are all in an unprovably unsigned zone, nic.pink.
% dig @65.22.29.17 DS nic.pink
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @65.22.29.17 DS nic.pink
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3416
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nic.pink. IN DS
;; AUTHORITY SECTION:
pink. 900 IN SOA a0.black.afilias-nst.info. noc.afilias-nst.info. (
1000000085 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
2764800 ; expire (4 weeks 4 days)
900 ; minimum (15 minutes)
)
pink. 900 IN RRSIG SOA 7 1 86400 20140311032041 (
20140218022041 65303 pink.
Fyoq1vCQI49jU61bgYh9LtCvGIFw02oxAyDL4ND/yW6z
8d/nLlhOsqK61FAd7k+OJUc/RoejKOTV21n6GByiDegf
84vx3jQ7dZqLAwJrezF/h7PQt4qrLtd970SWmH7e8WZR
LS8RcCNaDmt1lCbIU0CatwihZnc0f82Obvo4or4= )
0lhcnkbbjmrh3ri49muqj8f9uagkmsk9.pink. 900 IN NSEC3 1 1 1 D399EAAB 0Q3SVKDP4MTUL3F9048GS80BPRKKFTB6
0lhcnkbbjmrh3ri49muqj8f9uagkmsk9.pink. 900 IN RRSIG NSEC3 7 2 900 20140311032041 (
20140218022041 65303 pink.
0jh1Q4zeJqgodYSRCmiEbGSRLuNuxp8F8DZYRPsW49qg
pALHB5SSBmteMlBziHGGic/0MZGELGhejPZdWGvlXOsS
hpAvPbxfyDkKG1ChTYtaItEh9PaV7sUcE33oZwEMc+PE
3WIXbeCUIA+mwM4mxEmB6QVN2+4x+NfQ/zBwduQ= )
;; Query time: 121 msec
;; SERVER: 65.22.29.17#53(65.22.29.17)
;; WHEN: Tue Feb 18 09:15:32 2014
;; MSG SIZE rcvd: 505
Only one NSEC3, for nic.pink ("nsec3hash D399EAAB 1 1 nic.pink") but
with an empty typemap.
More information about the dns-operations
mailing list