[dns-operations] DNSViz 0.6.7 (FreeBSD 11.1-RELEASE-p10) reports all but first NSEC3 RRSIG as "BOGUS"
casey at deccio.net
Mon Aug 6 15:16:49 UTC 2018
> On Aug 5, 2018, at 12:34 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> I am trying to use the DNSViz CLI on my own machine, rather than
> farm out all processing to the website. But I am running into
> unexpected wrinkles. TLSA lookups that elicit multiple NSEC3
> records as proof of non-existence seem to consistently report
> "BOGUS" RRSIGs for all but the first NSEC3 record.
The problem is actually caused by a bug in graphviz. I first noticed it in 2016:
Then there was an issue filed in 2017:
Apparently it had been fixed in the development version, but had not been backported to 2.39/2.40. I haven't done enough poking around to find out which graphviz patch(es) need to be backported and log an official issue, but it could be done here:
More information about the dns-operations