[dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Oct 18 20:06:17 UTC 2022


> >> https://dnsviz.net/d/qa.ws.igt.fiscal.treasury.gov/dnssec/
> > 
> > DNSViz struggles to display this properly, because the same underlying
> > nameservers serve both the parent and child zone, and instead of
> > referrals serves authoritative data from the child.  However, the
> > parent zone is signed, and the child zone is not.  A resolver
> > expecting signed answers from the parent sees unsigned answers
> > instead and is liable to get confused.
> 
> The one clear issue that I see here is that the signer field in RRSIGs
> in responses from fiscal.treasury.gov is treasury.gov:
> 
> $ dig +dnssec @ns1.treasury.gov igt.fiscal.treasury.gov ds | awk '$4 == "RRSIG" { print $12 }'
> treasury.gov.
> treasury.gov.

In more detail:

    $ dig +dnssec +nocrypto +nocl +nottl +nocmd @ns1.treasury.gov igt.fiscal.treasury.gov ds
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50116
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;igt.fiscal.treasury.gov. IN DS

    ;; AUTHORITY SECTION:
    fiscal.treasury.gov.    SOA     ns1.treasury.gov. ecb-hosting.fiscal.treasury.gov. 149240 3600 900 1209600 900
    fiscal.treasury.gov.    RRSIG   SOA 7 3 900 20221023235856 20221016225856 3908 treasury.gov. [omitted]
    f4s09eu1581gb4kordo869r2hnia9mah.treasury.gov. NSEC3 1 0 1 46A5FF83352054F7 F4S09EU1581GB4KORDO869R2HNIA9MAI NS RRSIG
    f4s09eu1581gb4kordo869r2hnia9mah.treasury.gov. RRSIG NSEC3 7 3 900 20221025185901 20221018175901 3908 treasury.gov. [omitted]

> Because there is a zone cut at fiscal.treasury.gov, the the signer
> should be fiscal.treasury.gov.

That is defintely not kosher, given the SOA, there should of course be
no "treasury.gov" signatures for fiscal.treasury.gov names, and the NSEC
records are on the wrong side of the delegation...

> That being said, I can't tell at-a-glance why DNSViz is drawing ZSK
> 3908 in the fiscal.treasury.gov zone, rather than in the treasury.gov
> zone.

Given the conflicting signals, perhaps garbage in garbage out?

-- 
    Viktor.


More information about the dns-operations mailing list