[dns-operations] No RRSIG for SOA or NS for Google's gexperiments4.com hosted by googledomains.com?

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Apr 29 18:54:16 UTC 2018 

Anyone know or free to say what sort of experiment this might be?

  http://dnsviz.net/d/gexperiments4.com/Wq4U_w/dnssec/

The DNSKEY RRSet is signed, but at least the SOA and NS RRsets are not,
the denial of existence for MX does return RRSIGs for the NSEC record.
The RRSIGs last ~2.75 years:

@ns4.googledomains.com.[216.239.38.99]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41799
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;gexperiments4.com.     IN NS
gexperiments4.com.      NS      ns1.googledomains.com.
gexperiments4.com.      NS      ns2.googledomains.com.
gexperiments4.com.      NS      ns3.googledomains.com.
gexperiments4.com.      NS      ns4.googledomains.com.

@ns4.googledomains.com.[216.239.38.99]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40031
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;gexperiments4.com.     IN MX
gexperiments4.com.      SOA     ns1.googledomains.com. dns-admin.google.com. 1879049385 21600 3600 1209600 300
gexperiments4.com.      NSEC    dnssec-df.gexperiments4.com. NS SOA RRSIG NSEC DNSKEY
gexperiments4.com.      RRSIG   NSEC 8 2 300 20200120175135 20170425165135 56283 ...

The "dnssec-df" sub-domain is the only other name in the zone:

@ns4.googledomains.com.[216.239.38.99]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1264
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;dnssec-df.gexperiments4.com. IN        MX
gexperiments4.com.      SOA     ns1.googledomains.com. dns-admin.google.com. 1879049385 21600 3600 1209600 300
dnssec-df.gexperiments4.com. NSEC gexperiments4.com. A AAAA RRSIG NSEC
dnssec-df.gexperiments4.com. RRSIG NSEC 8 3 300 20200120175135 20170425165135 ...

Its A RRset is signed:

@ns4.googledomains.com.[216.239.38.99]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24487
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;dnssec-df.gexperiments4.com. IN        A
dnssec-df.gexperiments4.com. A  216.239.32.55
dnssec-df.gexperiments4.com. RRSIG A 8 3 300 20200120175135 20170425165135 ...

-- 
	Viktor.

More information about the dns-operations mailing list