[dns-operations] DNSSEC at ICANN: still no check?
🔒 Roy Arends
roy at dnss.ec
Mon Jan 20 16:24:53 UTC 2014
I don’t understand the problem. Do you expect nic.red to be dnssec-signed?
Roy
On 20 Jan 2014, at 16:10, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> .red and .rich both have a nic.$TLD which is unsigned. The lack of DS
> is not validated, since only one NSEC3 is returned. It seems similar
> to the problem of .онлайн / .xn--80asehdb three months ago.
>
> % dig SOA nic.red
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52972
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red. IN SOA
>
> ;; Query time: 879 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 20 17:09:05 2014
> ;; MSG SIZE rcvd: 36
>
> % dig DS nic.red
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> DS nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34835
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red. IN DS
>
> ;; AUTHORITY SECTION:
> red. 82 IN SOA a0.nic.red. noc.afilias-nst.info. (
> 1000000061 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 2764800 ; expire (4 weeks 4 days)
> 900 ; minimum (15 minutes)
> )
> red. 82 IN RRSIG SOA 7 1 86400 20140210022600 (
> 20140120012600 31835 red.
> U4a3e+kX3o8kRxqulzS+RdEplbqg4ZwqT98q3NgGZUVY
> jaYoO9xu4jJ9ynIMb+v0BkhfrOeFIwKFt7KL8s8qKSbi
> FVJRFliCCSDJF7A+KKI96DltInT7D26XaIxPQQVnj/F6
> G2MFJ/SKn5Iy4X8KENPNK9H9TuygMZSdiCxMA8U= )
> 4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN RRSIG NSEC3 7 2 900 20140210022600 (
> 20140120012600 31835 red.
> Px2DkjVJsutn2Xu/Hzf2h1VCseQdURaAqdLNHp3OYzMd
> c4koecXH/yWeqSv9w9UhJWd2ksxTihkjoq3nz7GezL03
> 1E5XgReyte0JYNlILdTUOD8CJmsN+/hPYGSX16NeWnn9
> poGcDOmoAPUn0x4ywlR7lAHEITPlDXxV3p8am+A= )
> 4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN NSEC3 1 1 1 D399EAAB 6EIVIDT04UJLNSB9HA6K5QRIKLTRRA49
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 20 17:09:26 2014
> ;; MSG SIZE rcvd: 496
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140120/20db07bd/attachment.sig>
More information about the dns-operations
mailing list