[dns-operations] [outages at outages.org: [outages] DNSSEC issues .se]

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Feb 4 17:37:21 UTC 2022


On Fri, Feb 04, 2022 at 05:48:41PM +0100, Stephane Bortzmeyer wrote:

> From: Jonathan Sélea via Outages <outages at outages.org>
> To: "outages at outages.org" <outages at outages.org>
> Subject: [outages] DNSSEC issues .se
> 
> Apparently, if a unsigned domain is followed by a signed domain in the
> .se zone - the domain wont resolve due to NSEC errors.

The problem is not limited to "unsigned followed by signed", here's a
counter-example:

 12timmarsbillingen.se. DS 12412 8 1 F2C2875A83586049209043F8902C14480CB23ADC
 12timmarsbillingen.se. DS 12412 8 2 38E21AD13565B3742C7025EC6A377E2469E006AF07263D820A86B94C 8EE2F72F
 12timmarsbillingen.se. RRSIG DS 8 2 3600 20220214223716 20220201211104 30015 se. ...
 ;
 12timmarsbillingen.se. NSEC 12tio.se. NS DS RRSIG NSEC
 12timmarsbillingen.se. RRSIG NSEC 8 2 7200 20220217092758 20220204091055 30015 se. AAH/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////ADAxMA0GCWCGSAFlAwQCAQUABCB60KcmsNHUcT/lUUzcsAgqKrLtDlGjohL/JgW5gHmzpA==

 12tio.se. DS 8042 13 2 10DBC098B055E8DFE252659D50202A35AAF631BB9824D076F0B34CB576F4E282
 12tio.se. RRSIG DS 8 2 3600 20220215032204 20220201111053 30015 se. ...
 ;
 12tio.se. NSEC 12trad.se. NS DS RRSIG NSEC
 12tio.se. RRSIG NSEC 8 2 7200 20220215230329 20220202141108 30015 se. KK5w0vghV65yxdTUkoBNTQ7pCJnOrtLRtf4le/e91RiFTi/RF3UPeNP0bQ0vFi1oT77Mk4mmNgi9RztycCCMUiy4Zb0+Rd2VhTNaHVQZFhYAx1/V4wsC773ZbQgzDaYk8sIQsw1pHt67NXOURbBUV4oiajHaN62HKYuo+ETkkSY+l7AuGQQN3jUDdeaaU97zIVgLhAYrw3mod72HVwEWDVMZmatIYlCrs8yg0kXENihcwdMirhtICGdzN1oat7oQrIim0XJbVRBlfA8LaAevbPtR3VgiAHwxItqgOpDq7i4RPrjsfC/qscW+g4/iMZNViW4l56N/fPBIvR0+T6X1FQ==

Roughly 0.6% of the NSEC RRSIGs appear to be affected.

-- 
    Viktor.



More information about the dns-operations mailing list