[dns-operations] .ES problems with NSEC3
Casey Deccio
casey at deccio.net
Thu Jan 4 15:08:05 UTC 2018
> On Jan 4, 2018, at 7:32 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
> On Wed, Jan 03, 2018 at 10:29:06AM +0000,
> Jerry Lundström <jerry at dns-oarc.net> wrote
> a message of 21 lines which said:
>
>> "RRSIG NSEC3 proving non-existence of museodelprado.es/DS alg 8, id 36970: The
>> cryptographic signature of the RRSIG RR does not properly validate."
>
> There have been several attemps to fix the problem today. This one is
> nice: publishing both the DS and a NSEC3 record proving the DS does
> not exist.
>
> http://dnsviz.net/d/museodelprado.es/Wk4rjA/dnssec/
Note that the (erroneous) DS is only being returned by one server, g.nic.es. The other servers seem to be returning correct responses at this point.
Casey
More information about the dns-operations
mailing list