[dns-operations] www.factorymoneystore.gov DNSSec Failures
Casey Deccio
casey at deccio.net
Sat Jul 26 19:40:07 UTC 2014
On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <ryan at u13.net> wrote:
> http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.gov
>
> RRSIG=51869 and DNSKEY=51869 does not verify the A RRset (RSA
> Verification failed)
> RRSIG=54410 and DNSKEY=54410 does not verify the A RRset (RSA
> Verification failed)
> None of the 2 RRSIG and 4 DNSKEY records validate the A RRset
> The A RRset was not signed by any keys in the chain-of-trust
>
> Validation for moneyfactorystore.gov succeeds, however
> www.moneyfactorystore.gov fails. Came across this when a user pointed
> out that it was not resolving.
>
>
Hmm, DNSViz doesn't see any problems [1], and the DNS-OARC resolvers give
an authenticated response [2]. I'm not sure about the reported RSA
verification failures, but it could be that your resolver is (incorrectly)
expecting a closest encloser NSEC3 record, which isn't necessary for
wildcard responses, but which some older versions of BIND required it [3].
What resolver are you running?
Cheers,
Casey
[1] http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/
[2] https://www.dns-oarc.net/oarc/services/odvr
[3] See the following thread:
http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-October/005486.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140726/de1c5d65/attachment.html>
More information about the dns-operations
mailing list