[dns-operations] TLD .law - non-signing KSK with referenced DS

Brett Carr brett.carr at nominet.uk
Fri Jan 14 13:25:35 UTC 2022


This is the expected state, this TLD is mid transition when this is complete the currently unused DS and DNSKEY will be used for signing. This is pre-publication of the new data.

Regards

Brett

--
Brett Carr
Manager DNS Engineering
Nominet UK


From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Matthew Richardson <matthew-l at itconsult.co.uk>
Date: Friday, 14 January 2022 at 10:17
To: dns-operations at dns-oarc.net <dns-operations at dns-oarc.net>
Subject: [dns-operations] TLD .law - non-signing KSK with referenced DS
Having been looking at .law following what looks like a slightly
sub-optimal redelegation (now complete), I notice that Zonemaster is
reporting DNSSEC issues:-

https://secure-web.cisco.com/1h7hVcLKXZ_2MCfb5nzMY83oZbSxudk8NJntJE08RNRLsFgjlXx1075BofkuX5gNEmORta9BDjr8oGBEjOqhufHBPKek1XMIkF6XtpbQYyYVDIajhR2GLaBs1MuED-w9L4z0QgDciWMICa26MjvA6TFtNgdWAI0g-PSM4K4p_VWbRuMCZKpQMW5R7FzZijmMzrpwEpoF46ZDqs6Im4yP28Q3K6zGWtyhCDejWvJJBp41glvrPxCPRXXN1AwIpeehYowQ9tXRNixI2Y6O98gsL9WhvuzJ3k18NKsdNJyyZYsw/https%3A%2F%2Fwww.zonemaster.fr%2Fresult%2Ff9fcceaef969aea1

>DNSSEC ERROR The DNSKEY RRset is not signed by the DNSKEY with
>tag 16819 that the the DS record refers to.

whereas DNSViz reports no such problem:-

https://secure-web.cisco.com/1NmczRUDL0DlrOrYunRHl6wJHmUKBryN3ihM699EJjwZJ1IXSScC22u56YYV2B7gBxl__VGloyEGvF3aFlr6_yPcN5M9zLXw0hCrjsxXpvyecbZFu5zcvKLOPfpgzeJp2S26td9Cm98etXq5ak8PpXzPGEkzmrZYdov9P9D05-Cq43yydBIR_Nojt51IEoMBHyr8v2G56HqUNAnY6eGg_OGaWwvNhWenOCQe69ktcj79O-UcWfOG_EDFcvbdL5mjDYv7UH8rZ2dSBtWgiFSQV3Qb_-owIvXPh8eb0vFGtvD4/https%3A%2F%2Fdnsviz.net%2Fd%2Flaw%2FYeEwEg%2Fdnssec%2F

Looking visually at the DNSViz output, the KSK 16819 does look strange as
it is referenced by a DS but does not sign anything.

Out of interest, do folks think this is a valid configuration?

Best wishes,
Matthew
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220114/fd10540c/attachment.html>


More information about the dns-operations mailing list