[dns-operations] Looking for someone in charge for gtm-ext.dla.mil, DNSSEC validates as Bogus

Peter van Dijk peter.van.dijk at powerdns.com
Thu Mar 11 09:59:49 UTC 2021


On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
> 
> That actually looks fine to me - DS is signed by parent (dla.mil),
> DNSKEY is signed by child (gtm-ext.dla.mil).

This means that the error reported by DNSViz:

RRSIG quicksearch.gtm-ext.dla.mil/A alg 8, id 29085: The Signer's Name field of the RRSIG RR (gtm-ext.dla.mil) does not match the name of the zone containing the RRset (dla.mil).

does not seem like the right conclusion to me.

(To be clear, the name does not deserve to resolve because of all the problems, but DNSViz is not correctly pointing to the pain I think.)

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com



More information about the dns-operations mailing list