[dns-operations] Looking for someone in charge for gtm-ext.dla.mil, DNSSEC validates as Bogus

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Mar 11 08:38:46 UTC 2021 

On Thu, Mar 11, 2021 at 08:52:37AM +0100, Winfried Angele wrote:

> Hello list,
> 
> the zone gtm-ext.dla.mil validates as Bogus. For instance:

The containing zone is dla.mil, with no delegation for this
subdomain.  Its SOA is:

    dla.mil. IN SOA eagleib1.ad.dla.mil. gregory.weaver at dla.mil. 2008266450 10800 1080 604800 900

I am reporting the "rname" as an email address with a "@" between the
first and remaining labels.  So perhaps start there.


> Also visible on DNSViz 
> https://dnsviz.net/d/quicksearch.gtm-ext.dla.mil/dnssec/

Somehow the subdomain as served by the parent's nameservers ended up
with its own separate DNSKEYs and a DS RRset owned by the subdomain,
rather than the parent:

    gtm-ext.dla.mil. IN DNSKEY 257 3 8 AwEAAakiB93xx2GkyKCjqE9tsGE8Xb/cbS9oW+AIjD23bvsRxRVczDUchMbw6RvbJq/qH9rdspXCStgpdEvLWXWC0cCTkx/cJ8hf3UJMgMj3jd3lTxSo1KJaS5DXRdJR2+OuYEUZ3NMVJZhuJsVlYDJRFWOrnLOxuWYU65aY/eRE7rp9Z9aPN21bIDzokmVI9L3v8hd3ApQJhe2B4hnuKvvU5R+0lDkK9t2cHjvrh3ggAhR9fqZIUkVWzZA01mgJR3D8gt1MiwX9sPGwSAmCHCGdljrhvPy675CBt3cSdhCced1Ys4eIzblyp/fWsdRGaldYWWZYQUw21NGzCVTd0faNSpc=
    gtm-ext.dla.mil. IN DNSKEY 256 3 8 AwEAAcldZpiH0g67gZS8K0T7VxRXumVxDinai8hrK17PzRZlAn63Zx5eNOFMql4TZ1e2eT3lwwH1zMx8mWbQqvQafbhlkm9onfnJkAa7oaRpi/YHK/lStrBadmYx6aE/DOz+7o5EM/mYlvfoS0kQm0RR21aMxNZ4za1mbV5N13OY5Nhj

    gtm-ext.dla.mil. IN DS 33646 8 2 cf58476a6e7145302866a112677862f08bb29611b6acdbed0fc44997bb75d8ba
    gtm-ext.dla.mil. IN DS 33646 8 1 6f6faf621c1dbd3966b1b2fac3f41f773a297388
    gtm-ext.dla.mil. IN RRSIG DS 8 3 86400 20210320013600 20210310012713 58143 dla.mil. mOpFYLQH8NkyFO3d7FCzCeZACD8puDeu2QW/dTRt4HaiCtWpD0zzwrjmt4yg4RY8cf35BSsMqt95Cgz6Rxvgea588ZYyJoi+he6N/2gHZgBUbYlJPR38vGuYYka/oKhhccGy3VBFc2JrvYZ/y+yProfjWii8hTVglZE9hb0ch70=

So sure looks like some delegation data is populated in error into the
subdomain rather than the parent, but on the other hand there is neither
an SOA RRSet nor an NS RRSet for the subdomain...

--
    Viktor.

More information about the dns-operations mailing list