[dns-operations] .org dnssec issue?
Daniel Stirnimann
daniel.stirnimann at switch.ch
Mon Feb 6 12:58:49 UTC 2017
Dear all,
I cannot resolve geant.org on a validating resolver.
dig @b2.org.afilias-nst.org geant.org DS +dnssec
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @b2.org.afilias-nst.org
geant.org DS +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46443
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;geant.org. IN DS
;; AUTHORITY SECTION:
org. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info.
2012355993 1800 900 604800 86400
org. 900 IN RRSIG SOA 7 1 900 20170227124822 20170206114822 3947 org.
QSBmqyDB8R/IAZOofQMZOaDuyGb7oOME/ppdBvEitkKOstkfaUgiEJKV
Lsofh57kfMWmbduEQ7knwHYl8JWK06X8K9gBD0eB4qHgStG3slZ/eAI/
MYMsuN9gx/X2oXYRPUrla3A+TQ8jH1VLO8ReaixerGOvns3GwK1KozXx DsA=
2v44578rbb03qcv1725nc569s8hoigtq.org. 86400 IN NSEC3 1 1 1 D399EAAB
2V4JIMFKQNNFI3F9ULAG5T1QVEU0K9TK NS DS RRSIG
2v44578rbb03qcv1725nc569s8hoigtq.org. 86400 IN RRSIG NSEC3 7 2 86400
20170222152815 20170201142815 3947 org.
n68Q8rrz1s5cP+4+W0f0a3ZXwzJDYtuJhbYKKsjuqB5PgA3HDL9oPdU6
NGHZ07bFIK2WyWFoAbYeB7hbDUgIlMQBdYpbTSwZaUff5nSx7nd+xVKJ
mp3KfqnsI2VL72ClNFalvNx0vnR6rVELJ10TVTal7IJWhKPm54CvUjEy CtE=
I think the NSEC3 proof is bogus. 2v44578rbb03qcv1725nc569s8hoigtq.org.
is geant.org:
ldns-nsec3-hash -t 1 -s D399EAAB geant.org
2v44578rbb03qcv1725nc569s8hoigtq.
DNSviz said (http://dnsviz.net/d/geant.org/WJhvCw/dnssec/):
* NSEC3 proving non-existence of geant.org/DS: The DS bit was set in
the bitmap of the NSEC3 RR corresponding to the delegated name (geant.org).
* NSEC3 proving non-existence of geant.org/DS: The DS bit was set in
the bitmap of the NSEC3 RR corresponding to the delegated name (geant.org).
So, is this a .org issue?
Daniel
More information about the dns-operations
mailing list