[dns-operations] DNSSEC at ICANN: still no check?

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jan 20 16:10:13 UTC 2014 

.red and .rich both have a nic.$TLD which is unsigned. The lack of DS
is not validated, since only one NSEC3 is returned. It seems similar
to the problem of .онлайн / .xn--80asehdb three months ago.

% dig SOA nic.red

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52972
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nic.red.		IN SOA

;; Query time: 879 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 20 17:09:05 2014
;; MSG SIZE  rcvd: 36

% dig DS nic.red     

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> DS nic.red
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34835
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nic.red.		IN DS

;; AUTHORITY SECTION:
red.			82 IN SOA a0.nic.red. noc.afilias-nst.info. (
				1000000061 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				2764800    ; expire (4 weeks 4 days)
				900        ; minimum (15 minutes)
				)
red.			82 IN RRSIG SOA 7 1 86400 20140210022600 (
				20140120012600 31835 red.
				U4a3e+kX3o8kRxqulzS+RdEplbqg4ZwqT98q3NgGZUVY
				jaYoO9xu4jJ9ynIMb+v0BkhfrOeFIwKFt7KL8s8qKSbi
				FVJRFliCCSDJF7A+KKI96DltInT7D26XaIxPQQVnj/F6
				G2MFJ/SKn5Iy4X8KENPNK9H9TuygMZSdiCxMA8U= )
4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN RRSIG NSEC3 7 2 900 20140210022600 (
				20140120012600 31835 red.
				Px2DkjVJsutn2Xu/Hzf2h1VCseQdURaAqdLNHp3OYzMd
				c4koecXH/yWeqSv9w9UhJWd2ksxTihkjoq3nz7GezL03
				1E5XgReyte0JYNlILdTUOD8CJmsN+/hPYGSX16NeWnn9
				poGcDOmoAPUn0x4ywlR7lAHEITPlDXxV3p8am+A= )
4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN NSEC3 1 1 1 D399EAAB 6EIVIDT04UJLNSB9HA6K5QRIKLTRRA49

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 20 17:09:26 2014
;; MSG SIZE  rcvd: 496

More information about the dns-operations mailing list