<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-ZA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hi Peter the zone co.bw has not been signed.Whe we started signing we started with the smallest zones and left co.bw while observing how other zones
behave<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Peter van Dijk [mailto:peter.van.dijk@powerdns.com]
<br>
<b>Sent:</b> 20 September 2016 04:12 PM<br>
<b>To:</b> dns-operations@dns-oarc.net<br>
<b>Cc:</b> Moakofi Kamanga <kamanga@BOCRA.ORG.BW><br>
<b>Subject:</b> (co.)bw DNSSEC failure<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As (currently) visible on <a href="https://protect-za.mimecast.com/s/XDAvBlUv0Kvfx?domain=dnsviz.net">
http://dnsviz.net/d/co.bw/dnssec/</a>, -one- of <br>
the auths for .bw (the one with ‘master’ in the name) responds <br>
without any DNSSEC data to a DS query for co.bw, turning all names under <br>
co.bw bogus if a validator happens to hit this auth.<br>
<br>
See also, bad:<br>
<br>
$ dig +dnssec ds co.bw @168.167.168.37 +norec<br>
<br>
; <<>> DiG 9.11.0a2 <<>> +dnssec ds co.bw @168.167.168.37 +norec<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55749<br>
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;co.bw. IN DS<br>
<br>
;; AUTHORITY SECTION:<br>
bw. 3600 IN SOA dns1.nic.net.bw. registry.nic.net.bw. 2016092010 21600 <br>
3600 604800 3600<br>
bw. 3600 IN RRSIG SOA 8 1 3600 20161004224314 20160920130009 30513 bw. <br>
zSVNWUlYuP8JvpLazV2qy7GZ7DhPDkAcwGDeIx9K4EJwiOPRJW/PxSJW <br>
1zulj9dZXDTbtu5CtgBc5RfXuFVlocLdPO2a8YrhOgmFBZV/QUfQ3521 <br>
L9ulDOU7ugB0Rdkqk+hwRm7EDLkRRFFK8wKs7Pur7caG2myFBoCqW7s5 qfk=<br>
<br>
;; Query time: 371 msec<br>
;; SERVER: 168.167.168.37#53(168.167.168.37)<br>
;; WHEN: Tue Sep 20 16:10:48 CEST 2016<br>
;; MSG SIZE rcvd: 254<br>
<br>
<br>
good:<br>
$ dig +dnssec ds co.bw @204.61.216.70 +norec<br>
<br>
; <<>> DiG 9.11.0a2 <<>> +dnssec ds co.bw @204.61.216.70 +norec<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27343<br>
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;co.bw. IN DS<br>
<br>
;; AUTHORITY SECTION:<br>
bw. 3600 IN SOA dns1.nic.net.bw. registry.nic.net.bw. 2016092010 21600 <br>
3600 604800 3600<br>
bw. 3600 IN RRSIG SOA 8 1 3600 20161004224314 20160920130009 30513 bw. <br>
zSVNWUlYuP8JvpLazV2qy7GZ7DhPDkAcwGDeIx9K4EJwiOPRJW/PxSJW <br>
1zulj9dZXDTbtu5CtgBc5RfXuFVlocLdPO2a8YrhOgmFBZV/QUfQ3521 <br>
L9ulDOU7ugB0Rdkqk+hwRm7EDLkRRFFK8wKs7Pur7caG2myFBoCqW7s5 qfk=<br>
0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. 3600 IN NSEC3 1 0 5 <br>
CE1457EE88F2A780 0R4R9PE5RACFBV1D2QKKHU3APDT24GJI NS<br>
0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. 3600 IN RRSIG NSEC3 8 2 3600 <br>
20161004194150 20160920130009 30513 bw. <br>
dVxbk65WdNrwMt56HU1FCSvv1hmF7V4VhJByV9tyav56uKLEVgTA5VFM <br>
RZjyReGj6LFQuaczsgXDCbVoCDS1NMjLl6hgkMrje9I/rZ4tdeQ6FGyU <br>
OIIUsj8LX1/Xf0d3wckFXDO8n3WzYZHbpH26RiuK85kLlecEiYCO1vh0 10s=<br>
<br>
;; Query time: 23 msec<br>
;; SERVER: 204.61.216.70#53(204.61.216.70)<br>
;; WHEN: Tue Sep 20 16:11:13 CEST 2016<br>
;; MSG SIZE rcvd: 498<br>
<br>
<br>
Technical contact from <a href="https://protect-za.mimecast.com/s/7xVwB7IKoaKU2?domain=iana.org">
https://www.iana.org/domains/root/db/bw.html</a> in <br>
Cc; sending to dns-operations in case anybody has a better contact.<br>
<br>
Kind regards,<br>
-- <br>
Peter van Dijk<br>
PowerDNS.COM BV - <a href="https://protect-za.mimecast.com/s/E70NB5F2a32ca?domain=powerdns.com">
https://www.powerdns.com/</a><o:p></o:p></p>
</div>
</body>
</html>