[dns-operations] .GL (Greenland) 2LD DS denial of existence problems

Bill Woodcock woody at pch.net
Tue Jun 20 06:59:52 UTC 2023 

Yes, that too.  There’s a bit of a laundry-list.
    
                -Bill


> On Jun 20, 2023, at 8:47 AM, Mark Andrews <marka at isc.org> wrote:
> 
> Isn’t it more not copying the NS records into the GL zone so that the signer will generate the correct NSEC3 chain?
> You could get away with missing this step pre-DNSSEC if parent and child where served by the same set of servers but
> not now that DNSSEC exists and especially if the parent is signed.
> 
> Mark
> 
>> On 20 Jun 2023, at 16:13, Bill Woodcock <woody at pch.net> wrote:
>> 
>> Yes, the second-levels have been broken since the middle of last October.  CentralNIC unexpectedly created new delegation points for the second-level domains, but has not yet copied the DS records down from the parent, nor created new ones of their own.  We remind them of the issue periodically, but no response thus far.
>> 
>>                               -Bill
>> 
>> 
>> 
>>>> On Jun 20, 2023, at 4:23 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>>> 
>>> The .GL TLD returns bogus NXDOMAIN responses to DS queries for:
>>> 
>>>  com.gl. IN DS ? ; NXDomain https://dnsviz.net/d/com.gl/ZJEMOQ/dnssec/
>>>  gl. IN SOA a.nuuk.nic.gl. gl-admin at tele.gl. 2022119284 900 1800 6048000 3600
>>>  gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl.  [...]
>>>  s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM
>>>  s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>>  BBTTMJM743SRPQ6J4KQDIUC73E3C1HOA.gl. IN NSEC3 1 1 10 504d114b BSHTF866A32E02RJ617EUE8CCP45A6V4 NS DS RRSIG
>>>  BBTTMJM743SRPQ6J4KQDIUC73E3C1HOA.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>>  6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG
>>>  6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>> 
>>>  edu.gl. IN DS ? ; NXDomain https://dnsviz.net/d/edu.gl/ZJEKYw/dnssec/
>>>  gl. IN SOA a.nuuk.nic.gl. gl-admin at tele.gl. 2022119284 900 1800 6048000 3600
>>>  gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...]
>>>  s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM
>>>  s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>>  O3DN0L28MEKMTHMNP658AQ4UUG4CDHTP.gl. IN NSEC3 1 1 10 504d114b OE6EUSIJCPGO9R8RG0RO7Q9TPS7L9A46 NS DS RRSIG
>>>  O3DN0L28MEKMTHMNP658AQ4UUG4CDHTP.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>>  6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG
>>>  6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>> 
>>>  org.gl. IN DS ? ; NXDomain https://dnsviz.net/d/org.gl/ZJEMkg/dnssec/
>>>  gl. IN SOA a.nuuk.nic.gl. gl-admin at tele.gl. 2022119284 900 1800 6048000 3600
>>>  gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...]
>>>  s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM
>>>  s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>>  EB30Q0MC6UJD3MIGICRL31Q4SNSIT4T7.gl. IN NSEC3 1 1 10 504d114b EE4KJQ89ME2PR0AOHKV4G9OACUF3367V NS DS RRSIG
>>>  EB30Q0MC6UJD3MIGICRL31Q4SNSIT4T7.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>>  6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG
>>>  6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600 20230705050000 20230618050000 39306 gl. [...]
>>> 
>>> All three 2LDs exist, are delegated, have SOA records and child zones.
>>> 
>>> -- 
>>>  Viktor.
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> 
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>

More information about the dns-operations mailing list