[dns-operations] DNSSEC at ICANN: still no check?

Casey Deccio casey at deccio.net
Tue Jan 21 14:34:49 UTC 2014


On Mon, Jan 20, 2014 at 4:11 PM, Matthew Pounsett <matt at conundrum.com>wrote:

>
> On Jan 20, 2014, at 11:37 , 🔒 Roy Arends <roy at dnss.ec> wrote:
>
> > The problem is indeed the absence of type NS in the type bit maps, as
> you (and Peter van
> > Dijk) showed in your previous mail.
>
> It’s hard to see from outside since its all the same NS set, but I suspect
> red. and nic.red. are separate zones, but that there is no delegation from
> red. to nic.red.  I’ve seen that mistake before.  With the same NS set it
> wouldn’t appear as a problem prior to signing.
>
>
That could be the case (the issue appears to be fixed now).  In the past
when I've seen this the authoritative server returns NXDOMAIN status,
rather than NOERROR, as the name (according the delegating parent zone,
which answers for DS) does not exist.  In this case, the name does appear
to exist, but with no record types.  I'm guessing that is because there is
some "sibling glue" in the "red" zone for another delegation, which NS
records include server names in "nic.red".  Interesting find - I hadn't
seen this scenario before.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140121/0632c461/attachment.html>


More information about the dns-operations mailing list