[dns-operations] Algorithm but no signature in .in?

Mark Andrews marka at isc.org
Fri Mar 27 07:37:46 UTC 2020



> On 27 Mar 2020, at 18:18, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
> 
> Hello.
> 
> On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote:
>> Some resolvers protest on .in. It seems they have a RSASHA256 key but
>> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
>> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
>> ALGORITHM”.
> 
> Note that in this case the mistake is on *both* sides, so it's an
> opportunity to also fix these validators.  See
>> This requirement applies to servers, not validators. Validators SHOULD
>> accept any single valid path.
> 
> https://tools.ietf.org/html/rfc6840#section-5.11

I see no evidence of validator failures here.  I know that when people
complain that the zone should have been fully signed it is often really
a overly strict validator but this isn’t the case here.

BIND will *correctly* fail if NSEC3RSASHA1 is disabled in named.conf as
it also supports RSASHA256.  India just stuffed up the key management.

[beetle:~/git/bind9] marka% dig ds in. @a.root-servers.net

; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> ds in. @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9716
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;in.				IN	DS

;; ANSWER SECTION:
in.			86400	IN	DS	35373 7 2 A5F1FEB3C7C62843C287BF38E0CFA8D33A1DF8FE2B7FD871BFDCFF8E A0B354DA
in.			86400	IN	DS	54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C
in.			86400	IN	DS	54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9
in.			86400	IN	DS	35373 7 1 C8750CE0393237D97BE351C84326E45A20EFF25C

;; Query time: 126 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Mar 27 18:29:15 AEDT 2020
;; MSG SIZE  rcvd: 199

[beetle:~/git/bind9] marka% 


>> (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)
> 
> Seems to work for me at this moment, e.g.:
> https://dnsviz.net/d/registry.in/XnzgYw/dnssec/
> (Thanks for this restored feature again!)
> 
> --Vladimir
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list