[dns-operations] .ES problems with NSEC3

Casey Deccio casey at deccio.net
Thu Jan 4 15:08:05 UTC 2018

> On Jan 4, 2018, at 7:32 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Wed, Jan 03, 2018 at 10:29:06AM +0000,
> Jerry Lundström <jerry at dns-oarc.net> wrote 
> a message of 21 lines which said:
>> "RRSIG NSEC3 proving non-existence of museodelprado.es/DS alg 8, id 36970: The
>> cryptographic signature of the RRSIG RR does not properly validate."
> There have been several attemps to fix the problem today. This one is
> nice: publishing both the DS and a NSEC3 record proving the DS does
> not exist.
> http://dnsviz.net/d/museodelprado.es/Wk4rjA/dnssec/

Note that the (erroneous) DS is only being returned by one server, g.nic.es.  The other servers seem to be returning correct responses at this point.


More information about the dns-operations mailing list