[dns-operations] DNSViz 0.6.7 (FreeBSD 11.1-RELEASE-p10) reports all but first NSEC3 RRSIG as "BOGUS"

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Aug 6 16:10:27 UTC 2018

> On Aug 6, 2018, at 11:16 AM, Casey Deccio <casey at deccio.net> wrote:
>> I am trying to use the DNSViz CLI on my own machine, rather than
>> farm out all processing to the website.  But I am running into
>> unexpected wrinkles.  TLSA lookups that elicit multiple NSEC3
>> records as proof of non-existence seem to consistently report
>> "BOGUS" RRSIGs for all but the first NSEC3 record.
> The problem is actually caused by a bug in graphviz.  I first noticed it in 2016:
> https://groups.google.com/forum/#!topic/pygraphviz-discuss/rkoqKhN-R9o
> Then there was an issue filed in 2017:
> https://github.com/ellson/MOTHBALLED-graphviz/issues/1252
> Apparently it had been fixed in the development version, but had not been backported to 2.39/2.40.  I haven't done enough poking around to find out which graphviz patch(es) need to be backported and log an official issue, but it could be done here:
> https://gitlab.com/graphviz/graphviz/issues

So "dnsviz print" and "dnsviz grok" use graphviz, even though they don't
do any graphics?  And are affected by this bug?  What version of graphviz
are you using for the website?


More information about the dns-operations mailing list