[dns-operations] is anybody awake at 220.127.116.11.0.2.ip6.arpa? (comcast and/or arin)
shuque at gmail.com
Tue Oct 6 12:14:09 UTC 2020
On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews <marka at isc.org> wrote:
> > On 6 Oct 2020, at 13:18, Paul Vixie <vixie at fsi.io> wrote:
> > ssh gets hinky when i connect from a server whose PTR is "servfail"
> (dnssec "bogus")
> > • 18.104.22.168.0.2.ip6.arpa to 22.214.171.124.126.96.36.199.ip6.arpa: No valid
> RRSIGs made by a key corresponding to a DS RR were found covering the
> DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.
> (188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124,
> 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244,
> 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228,
> 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)
> I have no idea why DNSVIZ is reporting this NSEC record (?) given there is
> a DS RRset. The covering NSEC record for 126.96.36.199.188.8.131.52.ip6.arpa that
> would prove the non existence of the DS RRset if it didn’t exist is
> 184.108.40.206.220.127.116.11.ip6.arpa. I suspect a DNSVIZ bug here.
Sorry Mark - where do you see dnsviz complaining about an NSEC record?
This error message says that no "valid" DNSKEY RRSIGs made by a key
matching the DS RRset were found -- which is a correct diagnosis. No NSEC
records are involved in that determination.
As you've already pointed out, DNSKEY with keytag 47242 has an expired
signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature
but that does not match the DS set (it also doesn't have the advisory SEP
flag, so was likely not intended to be used as a secure entry point).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations