[dns-operations] comcast.net DNSSEC validation issues

[Viktor Dukhovni]

On Thu, Jun 22, 2017 at 10:51:46AM -0400, Rob Foehl wrote:

> The original query is obvious garbage, but I should have been more specific:
> the bad cache entry is for "com:\032haughtington.comcast.net/DS" without the
> first label, so the query to the authoritative servers for comcast.net was
> in fact looking for a DS in the parent.  Also, the replies the resolver is
> getting are NXDOMAINs, but BIND wasn't happy with the signatures on them for
> some reason and retried the query against all of the authoritative servers
> before returning a SERVFAIL (and causing trouble for all of comcast.net on
> 9.9).

No similar troubles with unbound 1.6.x as the local resolver:

    $ dig [options] -t ds "com: haughtington.comcast.net"
    ; <<>> DiG 9.11.1-P1 <<>> +dnssec +noall +comment +qu +ans +auth +nocl +nottl +cmd -t ds com: haughtington.comcast.net
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8493
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
    ;com:\032haughtington.comcast.net. IN DS
    comcast.net.            SOA     dns101.comcast.net. domregtech.comcastonline.com. 2008201067 7200 3600 1209600 3600
    comcast.net.            RRSIG   SOA 5 2 7200 20170702135252 20170621134752 27912 comcast.net. ...
    coins.comcast.net.      NSEC    comcast-auth.comcast.net. NS RRSIG NSEC
    coins.comcast.net.      RRSIG   NSEC 5 3 3600 20170702135252 20170621134752 27912 comcast.net. ...
    comcast.net.            NSEC    4gmobile.comcast.net. A NS SOA MX TXT RRSIG NSEC DNSKEY
    comcast.net.            RRSIG   NSEC 5 2 3600 20170702135252 20170621134752 27912 comcast.net. ...

-- 
	Viktor.