[dns-operations] Looking for someone in charge for gtm-ext.dla.mil, DNSSEC validates as Bogus

[Peter van Dijk]

Hello Casey,

On Thu, 2021-03-11 at 09:58 -0700, Casey Deccio wrote:
> > On Mar 11, 2021, at 2:59 AM, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> > 
> > On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
> > > That actually looks fine to me - DS is signed by parent (dla.mil),
> > > DNSKEY is signed by child (gtm-ext.dla.mil).
> > 
> > This means that the error reported by DNSViz:
> > 
> > RRSIG quicksearch.gtm-ext.dla.mil/A alg 8, id 29085: The Signer's Name field of the RRSIG RR (gtm-ext.dla.mil) does not match the name of the zone containing the RRset (dla.mil).
> > 
> > does not seem like the right conclusion to me.
> > 
> > (To be clear, the name does not deserve to resolve because of all the problems, but DNSViz is not correctly pointing to the pain I think.)
> 
> That's a fair point.  *Normally* the error would be something more like: "No RRSIGs were found covering the RRset".  But in this case, there *was* an RRSIG, so it didn't get *that* error.  DNSViz used to complain when an RRSIG didn't align to a DNSKEY, but that was changed because sometimes there were legitimate reasons for that (like pre-publishing RRSIGs as part of an algorithm rollover).  So all we were left with was an error about the RRSIG itself (i.e., name didn't match).

Thank you for explaining that history. I certainly appreciate how your
errors have to guess at the real world things that are happening.

>   Probably the "no RRSIG" error should be modified to be "no RRSIG for an existing DNSKEY".

But, in this case, the DNSKEY does exist, and a DS is pointing at it
correctly, and the problems are almost unrelated to those, as far as I
can see. My impression is that DNSViz is confused for the same reason a
default PowerDNS Recursor gets confused on this name - conflicting
facts from queries *other than* those DS and DNSKEY queries.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/