[EXTERNAL] Re: [dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

Feldman, Mark Mark_Feldman at comcast.com
Tue Oct 6 13:32:20 UTC 2020 

We are awake now.  With some coffee and some consultation with our vendor, we have corrected the signing issue on 9.5.5.0.1.0.0.2.ip6.arpa.  Now to make sure this doesn't happen again...

  Mark
  Comcast DNS


On 10/6/20, 8:31 AM, "dns-operations on behalf of Mark Andrews" <dns-operations-bounces at dns-oarc.net on behalf of marka at isc.org> wrote:



    > On 6 Oct 2020, at 23:14, Shumon Huque <shuque at gmail.com> wrote:
    >
    > On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews <marka at isc.org> wrote:
    > > On 6 Oct 2020, at 13:18, Paul Vixie <vixie at fsi.io> wrote:
    > >
    > > ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec "bogus")
    > >
    > >       • 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (68.87.68.244, 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103, 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)
    >
    > I have no idea why DNSVIZ is reporting this NSEC record (?) given there is a DS RRset.  The covering NSEC record for 9.5.5.0.1.0.0.2.ip6.arpa that would prove the non existence of the DS RRset if it didn’t exist is 9.5.5.0.1.0.0.2.ip6.arpa.  I suspect a DNSVIZ bug here.
    >
    > Sorry Mark - where do you see dnsviz complaining about an NSEC record?

    If it was a DS record I would expect the message to say 9.5.5.0.1.0.0.2.ip6.arpa (not 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa) which feels more like a NSEC than a DS.  It’s not actually clear what RRset it is referring to.

    > This error message says that no "valid" DNSKEY RRSIGs made by a key matching the DS RRset were found -- which is a correct diagnosis. No NSEC records are involved in that determination.
    >
    > As you've already pointed out, DNSKEY with keytag 47242 has an expired signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature but that does not match the DS set (it also doesn't have the advisory SEP flag, so was likely not intended to be used as a secure entry point).
    >
    > Shumon.
    >

    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742              INTERNET: marka at isc.org


    _______________________________________________
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net
    https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!CQl3mcHX2A!VF4KVriouWi6zYNjZ2bOXwKJdynCmhnZREJvBPMF5wR09hofL_4rK-ElOUrm637F1gM$

More information about the dns-operations mailing list