[dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov

Casey Deccio casey at deccio.net
Tue Oct 18 23:13:54 UTC 2022

> On Oct 18, 2022, at 4:02 PM, Scott Morizot <tmorizot at gmail.com> wrote:
> I can't say why any RRSIGs or other DNSSEC records are being returned for queries for records in fiscal.treasury.gov <http://fiscal.treasury.gov/>, however those records are spurious. As DNSVIZ does show, the delegation from the last secure zone, treasury.gov <http://treasury.gov/>, to fiscal.treasury.gov <http://fiscal.treasury.gov/> is insecure. And thus the subsequent delegation from fiscal.treasury.gov <http://fiscal.treasury.gov/> to igt.fiscal.treasury.gov <http://igt.fiscal.treasury.gov/> is also insecure. Once the chain of trust is properly broken and the status moves to insecure, everything below that point is also insecure.
> DNSVIZ is attempting to make some sense of the spurious DNSSEC records and show what the state would be if there weren't an insecure delegation at treasury.gov <http://treasury.gov/>. Or at least that's my guess at what it's doing.

I agree with both points.  I just don't know what's going on.  As it turns out, writing a piece of software to try to visualize complex configurations is, um, complex.  I'll add it to my list.  Just know that I'm a little behind... :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20221018/01acc72c/attachment.html>

More information about the dns-operations mailing list