[dns-operations] Edge-case, zero-length DNSKEYs
Mark Andrews
marka at isc.org
Tue Oct 6 20:27:47 UTC 2020
They are just malformed. No key material is not permitted with DNSKEY. it’s one of the differences to KEY.
--
Mark Andrews
> On 7 Oct 2020, at 04:40, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> After an algorithm rollover (RSA 8 -> ECDSA P256 13) a couple of days
> backs, two domains now have new zero-length RSA 8 KSKs, along with
> working new ECDSA KSKs:
>
> https://stats.dnssec-tools.org/explore/?nlagriculture.nl
> https://stats.dnssec-tools.org/explore/?nlenergyandclimatechange.nl
>
> It isn't only the RSA modulus that is empty, but rather the entire
> DNSKEY key value (exponent length, exponent, modulus):
>
> nlagriculture.nl. IN DNSKEY 257 3 8 ; NoError
> nlagriculture.nl. IN DNSKEY 257 3 13 vRMOgGXuo/Ra...Yj7dpYrzWOg== ; NoError
> nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAfc58Rv7...6fPPDdZJ/tfj ; NoError
> nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAeBjJKDZ...pOKqfoFAnmx1 ; NoError
>
> nlenergyandclimatechange.nl. IN DNSKEY 257 3 8 ; NoError
> nlenergyandclimatechange.nl. IN DNSKEY 257 3 13 SURx8TOW5B07...liYpu7BmE0w== ; NoError
> nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 AwEAAb2AbhJT...ppErUsfvCMGtv ; NoError
> nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 AwEAAaeQDrF0...u3IdA2xzSiqZF ; NoError
>
> Unbound validates the DNSKEY RRset just fine, but these give DNSViz some indigestion:
>
> https://dnsviz.net/d/nlagriculture.nl/X3yhPg/dnssec/
> https://dnsviz.net/d/nlenergyandclimatechange.nl/X3yhXg/dnssec/
>
> the graphs fail to display. I wonder whether any other tools
> (especially resolvers) have difficulties with these...
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list