[dns-operations] is anybody awake at (comcast and/or arin)

Mark Andrews marka at isc.org
Tue Oct 6 12:27:51 UTC 2020

> On 6 Oct 2020, at 23:14, Shumon Huque <shuque at gmail.com> wrote:
> On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews <marka at isc.org> wrote:
> > On 6 Oct 2020, at 13:18, Paul Vixie <vixie at fsi.io> wrote:
> > 
> > ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec "bogus")
> > 
> >       • to No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (,,,,, 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)
> I have no idea why DNSVIZ is reporting this NSEC record (?) given there is a DS RRset.  The covering NSEC record for that would prove the non existence of the DS RRset if it didn’t exist is  I suspect a DNSVIZ bug here.
> Sorry Mark - where do you see dnsviz complaining about an NSEC record?

If it was a DS record I would expect the message to say (not to which feels more like a NSEC than a DS.  It’s not actually clear what RRset it is referring to.

> This error message says that no "valid" DNSKEY RRSIGs made by a key matching the DS RRset were found -- which is a correct diagnosis. No NSEC records are involved in that determination.
> As you've already pointed out, DNSKEY with keytag 47242 has an expired signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature but that does not match the DS set (it also doesn't have the advisory SEP flag, so was likely not intended to be used as a secure entry point).
> Shumon.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list