[dns-operations] TLD .fj broken (DNSSEC issue)

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Mar 8 09:23:21 UTC 2022


Entire TLD down since the DS goes to an unexisting key
<https://dnsviz.net/d/fj/YicaMA/dnssec/>.

% dig @a.root-servers.net fj ds


; <<>> DiG 9.16.22-Debian <<>> @a.root-servers.net fj ds
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21820
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fj.			IN DS

;; ANSWER SECTION:
fj.			86400 IN DS 18952 8 2 (
				B22F5938AD822A76499A3AC295E061CC07FCE36D7956
				E26A4F51AEDE1717F993 )
fj.			86400 IN RRSIG DS 8 1 86400 (
				20220321050000 20220308040000 9799 .
				GV9jHAYa1/THxNVXY8xfd9KpkgfWJH9etKm6d13p95Dp
				DI/i8q8gDCYHK3s7+QkQWmwnuhyIajYXbJGpwjpIZFJJ
				dUlL6kJyApAbx8p+XvnMRE8IiI7HwjE+SReu4iOVhuXy
				sBEDGvdwHjENYes8g7S909FefLFCaBfZ8WVWVBWOOQNY
				ueERcBFn6kAUSM8Es5xzt7B0UnivO+dWX6NSXxzVPxTW
				8hTsWXoyLle6Qkxti2+4zQJS/UlQYYeSUZbj/bGTlV/j
				8z7GdoFngXNwyZXrGxmdqxSvzFUh9/38Idn0xC1HAvFW
				4jhDCS1WV9NPiBs0Wx/VG8yMM0KGXbi+Fg== )

;; Query time: 12 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Tue Mar 08 10:22:09 CET 2022
;; MSG SIZE  rcvd: 366

But:

% dig @144.120.146.1 fj dnskey

; <<>> DiG 9.16.22-Debian <<>> @144.120.146.1 fj dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53588
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2c82e96a472de66f47f4f4ee62272071aeeee682d2e21408 (good)
;; QUESTION SECTION:
;fj.			IN DNSKEY

;; ANSWER SECTION:
fj.			3600 IN	DNSKEY 256 3 8 (
				AwEAAdpT6o6ustm4WxYhP8Xa6P1+1dvYExn1LyOC9qUX
				dbt3BWPok+obi69yRywGD740Aj6AO7To2HXDlLF3YF5c
				R1mO5mo6iSTHqNAg4rjE49/BVxjV3KgmEOGFdtiMbAi+
				4d6KMPkl+HULwmJkdcu8gkG9cYjBkJ2OUpfvsjaZ47/a
				zk+d8ffEd0oN/0dC9lhcaeYOvhJehdGHFemKY3Mk5O1F
				Zrww9OF3SOBSrW+C6LPk04/mTji7j6OeIDfFIMvuu0oN
				OAqxTlwUuoTeIiHmJZ0jNlKgBgmsTmlRETAEjcDqcGha
				wiENI65uRYbx2eRv5k2U5If0ydhMxBLYAcqFEHE=
				) ; ZSK; alg = RSASHA256 ; key id = 24459
fj.			3600 IN	DNSKEY 257 3 8 (
				AwEAAchm/6TsZVKXuzGe+5Kx/7PW2j1jMkctAL+FaWn+
				LW28Kzr4KI9XQz2bd1byWdsljsKkW1zMiiLBlxHcmUiK
				vv8hIPLwdxwEdutCve9arJNfDyDhCf5SCHenzQwaR3pQ
				zQ+QzaTVPQKz9VIfV6u06wGqq4iTo014N2ITs2EtYU0T
				bydZ/cOuy2+N5xE1Xi6JrJuwPKSQfi3M3Ojb3SA4EK6f
				BaiGM2Ri1DN6OD+5A8Z9R4EihqAtPtkjJI8mqAbmXu+d
				krMJVljtaCMlt2tejaqzqfwd4FJQEdFRiEdMwB3sYjsH
				+cMn3QJlvlSXm/w174e5Wzvk563TvuPOrLzefQU=
				) ; KSK; alg = RSASHA256 ; key id = 12931
fj.			3600 IN	RRSIG DNSKEY 8 1 3600 (
				20220321164811 20220307230005 12931 fj.
				uRN6QJdTyElu51Xzz30KDF8efDUL+RrZwjy4YyPX2YKv
				fLJ5ugQm2jA/Js3UteScHJOEzBobYLnWI/jKYqi6/EVX
				78KCaqDMZwnkDOVn6FKRUM+oK/FPWFCPWAUQQ6pVWqY3
				OiU/GA5yW6f5oD0yyt3K0HIpAnC86lAftGyhHSoeDm4D
				EF+yJPJtB07z2/dyIthg8Gtzo9/24yEAgWjhFPa/DNWv
				K7jw2/alPUBFMNTIWGba918PJRgJg8G6HQQ4xWqr4xV/
				O7gPRk+Wh8/YlfrGdfWoBTax2VMvQGhrBmqTqxwKwaEC
				+gpwGasOMSF5g/DujuHSQ0NK7+L67m+wHA== )

;; Query time: 320 msec
;; SERVER: 144.120.146.1#53(144.120.146.1)
;; WHEN: Tue Mar 08 10:22:57 CET 2022



More information about the dns-operations mailing list