[dns-operations] (co.)bw DNSSEC failure
Anand Buddhdev
anandb at ripe.net
Tue Sep 20 17:58:40 UTC 2016
On 20/09/16 18:58, Warren Kumari wrote:
Hi Warren,
> In the "bad" example, the nameserver is returning a helpful RRSIG, so
> it has to have at least heard of DNSSEC. The serials match, so
> (likely!) they have the same data. Sure, master.btc.net.bw could
> simply be pathological, or someone could have hand edited the signed
> zone file and <handwave>, but I'm not really sure how else this
> situation could have come about.
This particular server identifies itself as:
$ dig @master.btc.net.bw ch txt version.bind +norec +short
"djbdns"
My guess is that they're using tinydns patched for dnssec
(tinydnssec.org), and it's an older version with a bug (fixed in 1.3).
Regards,
Anand
More information about the dns-operations
mailing list