[dns-operations] Looking for someone in charge for gtm-ext.dla.mil, DNSSEC validates as Bogus

Casey Deccio casey at deccio.net
Thu Mar 11 16:58:02 UTC 2021



> On Mar 11, 2021, at 2:59 AM, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> 
> On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
>> 
>> That actually looks fine to me - DS is signed by parent (dla.mil),
>> DNSKEY is signed by child (gtm-ext.dla.mil).
> 
> This means that the error reported by DNSViz:
> 
> RRSIG quicksearch.gtm-ext.dla.mil/A alg 8, id 29085: The Signer's Name field of the RRSIG RR (gtm-ext.dla.mil) does not match the name of the zone containing the RRset (dla.mil).
> 
> does not seem like the right conclusion to me.
> 
> (To be clear, the name does not deserve to resolve because of all the problems, but DNSViz is not correctly pointing to the pain I think.)

That's a fair point.  *Normally* the error would be something more like: "No RRSIGs were found covering the RRset".  But in this case, there *was* an RRSIG, so it didn't get *that* error.  DNSViz used to complain when an RRSIG didn't align to a DNSKEY, but that was changed because sometimes there were legitimate reasons for that (like pre-publishing RRSIGs as part of an algorithm rollover).  So all we were left with was an error about the RRSIG itself (i.e., name didn't match).  Probably the "no RRSIG" error should be modified to be "no RRSIG for an existing DNSKEY".

Casey



More information about the dns-operations mailing list