[dns-operations] DNSSEC at ICANN: still no check?

🔒 Roy Arends roy at dnss.ec
Mon Jan 20 16:24:53 UTC 2014 

I don’t understand the problem. Do you expect nic.red to be dnssec-signed?

Roy

On 20 Jan 2014, at 16:10, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> .red and .rich both have a nic.$TLD which is unsigned. The lack of DS
> is not validated, since only one NSEC3 is returned. It seems similar
> to the problem of .онлайн / .xn--80asehdb three months ago.
> 
> % dig SOA nic.red
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52972
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red.		IN SOA
> 
> ;; Query time: 879 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 20 17:09:05 2014
> ;; MSG SIZE  rcvd: 36
> 
> % dig DS nic.red     
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> DS nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34835
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red.		IN DS
> 
> ;; AUTHORITY SECTION:
> red.			82 IN SOA a0.nic.red. noc.afilias-nst.info. (
> 				1000000061 ; serial
> 				10800      ; refresh (3 hours)
> 				3600       ; retry (1 hour)
> 				2764800    ; expire (4 weeks 4 days)
> 				900        ; minimum (15 minutes)
> 				)
> red.			82 IN RRSIG SOA 7 1 86400 20140210022600 (
> 				20140120012600 31835 red.
> 				U4a3e+kX3o8kRxqulzS+RdEplbqg4ZwqT98q3NgGZUVY
> 				jaYoO9xu4jJ9ynIMb+v0BkhfrOeFIwKFt7KL8s8qKSbi
> 				FVJRFliCCSDJF7A+KKI96DltInT7D26XaIxPQQVnj/F6
> 				G2MFJ/SKn5Iy4X8KENPNK9H9TuygMZSdiCxMA8U= )
> 4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN RRSIG NSEC3 7 2 900 20140210022600 (
> 				20140120012600 31835 red.
> 				Px2DkjVJsutn2Xu/Hzf2h1VCseQdURaAqdLNHp3OYzMd
> 				c4koecXH/yWeqSv9w9UhJWd2ksxTihkjoq3nz7GezL03
> 				1E5XgReyte0JYNlILdTUOD8CJmsN+/hPYGSX16NeWnn9
> 				poGcDOmoAPUn0x4ywlR7lAHEITPlDXxV3p8am+A= )
> 4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN NSEC3 1 1 1 D399EAAB 6EIVIDT04UJLNSB9HA6K5QRIKLTRRA49
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 20 17:09:26 2014
> ;; MSG SIZE  rcvd: 496
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140120/20db07bd/attachment.sig>

More information about the dns-operations mailing list