[EXTERNAL] Re: [dns-operations] is anybody awake at 126.96.36.199.0.2.ip6.arpa? (comcast and/or arin)
Mark_Feldman at comcast.com
Tue Oct 6 13:32:20 UTC 2020
We are awake now. With some coffee and some consultation with our vendor, we have corrected the signing issue on 188.8.131.52.184.108.40.206.ip6.arpa. Now to make sure this doesn't happen again...
On 10/6/20, 8:31 AM, "dns-operations on behalf of Mark Andrews" <dns-operations-bounces at dns-oarc.net on behalf of marka at isc.org> wrote:
> On 6 Oct 2020, at 23:14, Shumon Huque <shuque at gmail.com> wrote:
> On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews <marka at isc.org> wrote:
> > On 6 Oct 2020, at 13:18, Paul Vixie <vixie at fsi.io> wrote:
> > ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec "bogus")
> > • 220.127.116.11.0.2.ip6.arpa to 18.104.22.168.22.214.171.124.ip6.arpa: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)
> I have no idea why DNSVIZ is reporting this NSEC record (?) given there is a DS RRset. The covering NSEC record for 22.214.171.124.126.96.36.199.ip6.arpa that would prove the non existence of the DS RRset if it didn’t exist is 188.8.131.52.184.108.40.206.ip6.arpa. I suspect a DNSVIZ bug here.
> Sorry Mark - where do you see dnsviz complaining about an NSEC record?
If it was a DS record I would expect the message to say 220.127.116.11.18.104.22.168.ip6.arpa (not 22.214.171.124.0.2.ip6.arpa to 126.96.36.199.188.8.131.52.ip6.arpa) which feels more like a NSEC than a DS. It’s not actually clear what RRset it is referring to.
> This error message says that no "valid" DNSKEY RRSIGs made by a key matching the DS RRset were found -- which is a correct diagnosis. No NSEC records are involved in that determination.
> As you've already pointed out, DNSKEY with keytag 47242 has an expired signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature but that does not match the DS set (it also doesn't have the advisory SEP flag, so was likely not intended to be used as a secure entry point).
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
dns-operations mailing list
dns-operations at lists.dns-oarc.net
More information about the dns-operations