[dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov

Scott Morizot tmorizot at gmail.com
Tue Oct 18 22:02:02 UTC 2022


There's a validated insecure delegation from treasury.gov to
fiscal.treasury.gov.

I can't say why any RRSIGs or other DNSSEC records are being returned for
queries for records in fiscal.treasury.gov, however those records are
spurious. As DNSVIZ does show, the delegation from the last secure zone,
treasury.gov, to fiscal.treasury.gov is insecure. And thus the subsequent
delegation from fiscal.treasury.gov to igt.fiscal.treasury.gov is also
insecure. Once the chain of trust is properly broken and the status moves
to insecure, everything below that point is also insecure.

DNSVIZ is attempting to make some sense of the spurious DNSSEC records and
show what the state would be if there weren't an insecure delegation at
treasury.gov. Or at least that's my guess at what it's doing.

I haven't found any public resolver or other implemented validator that
doesn't properly validate qa.ws.igt.fiscal.treasury.gov as insecure.

Scott


On Tue, Oct 18, 2022, 15:35 Casey Deccio <casey at deccio.net> wrote:

> > On Oct 18, 2022, at 1:58 PM, Mark Andrews <marka at isc.org> wrote:
> >
> > Not for DS  as it is part of the parent zone.
> >
>
> Right.  What I meant (but didn't say) was this:
>
> The following is a query for testing for the presence of a DS record in
> the igt.fiscal.treasury.gov zone.  The signer for the records in the
> response should be the parent zone of igt.fiscal.treasury.gov, which is
> fiscal.treasury.gov.  However, the the signer for the records in the
> observed response is treasury.gov.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20221018/67090c22/attachment-0001.html>


More information about the dns-operations mailing list