[dns-operations] .org dnssec issue?

Peter van Dijk peter.van.dijk at powerdns.com
Mon Feb 6 13:44:22 UTC 2017 

Hello Daniel,

On 6 Feb 2017, at 13:58, Daniel Stirnimann wrote:

> I think the NSEC3 proof is bogus.  
> 2v44578rbb03qcv1725nc569s8hoigtq.org.
> is geant.org:
>
> ldns-nsec3-hash -t 1 -s D399EAAB geant.org
> 2v44578rbb03qcv1725nc569s8hoigtq.
>
> DNSviz said (http://dnsviz.net/d/geant.org/WJhvCw/dnssec/):
>  * NSEC3 proving non-existence of geant.org/DS: The DS bit was set in
> the bitmap of the NSEC3 RR corresponding to the delegated name 
> (geant.org).
>  * NSEC3 proving non-existence of geant.org/DS: The DS bit was set in
> the bitmap of the NSEC3 RR corresponding to the delegated name 
> (geant.org).
>
> So, is this a .org issue?

nsec3dig (from the powerdns tools) confirms:
$ nsec3dig 199.249.120.1 53 geant.org DS
Reply to question for qname='geant.org.', qtype=DS
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
1	org.	IN	SOA	900	a0.org.afilias-nst.info. noc.afilias-nst.info. 
2012356043 1800 900 604800 86400
1	org.	IN	RRSIG	900	SOA 7 1 900 20170227134039 20170206124039 3947 org. 
nJHddivGbR7TXnNbrfA1t+xKAGGO5vXDuUaxm0Oe20JTrgo5sHHGs2wXJX77FixDDg1GFFQy3b0Yw10nERhMjBYIuT5bM6Bm6Wa0zT63XPU1woY9pgAVpVwdoLvdGGkElEZFid0N3VS13Ht3yGDlutyYqIUwY281fzUUIgtUj/4=
1	2v44578rbb03qcv1725nc569s8hoigtq.org.	IN	NSEC3	86400	1 1 1 d399eaab 
2V4JIMFKQNNFI3F9ULAG5T1QVEU0K9TK NS DS RRSIG
1	2v44578rbb03qcv1725nc569s8hoigtq.org.	IN	RRSIG	86400	NSEC3 7 2 86400 
20170222152815 20170201142815 3947 org. 
n68Q8rrz1s5cP+4+W0f0a3ZXwzJDYtuJhbYKKsjuqB5PgA3HDL9oPdU6NGHZ07bFIK2WyWFoAbYeB7hbDUgIlMQBdYpbTSwZaUff5nSx7nd+xVKJmp3KfqnsI2VL72ClNFalvNx0vnR6rVELJ10TVTal7IJWhKPm54CvUjEyCtE=
2	.	IN	OPT	32768
== nsec3 prove/deny report follows ==
geant.org (2v44578rbb03qcv1725nc569s8hoigtq) proven by base of 
2v44578rbb03qcv1725nc569s8hoigtq..2v4jimfkqnnfi3f9ulag5t1qveu0k9tk
qname found proven, NODATA response?


The NSEC3 indeed says a DS should be there, but there is none. 
Incidentally whois says the domain is ‘unsigned’.

This is indeed a .org issue, looks like a signer bug.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list