<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a> is serving 3 DNSSEC signed ccTLDs (AF, SB, TL) yet it is incapable of returning<div class="">DNSKEY records for those TLDs. This will break DNSSEC validation for every lookup in those ccTLD</div><div class="">if this server is the only one reachable by the DNS clients. This has been going on since at least April 2019.</div><div class=""><br class=""></div><div class="">Mark</div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">Begin forwarded message:</div><br class="Apple-interchange-newline"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">From: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Mark Andrews <<a href="mailto:marka@isc.org" class="">marka@isc.org</a>><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">Why is <a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a> returning REFUSED to DNSKEY queries?</b><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">8 April 2019 at 2:16:28 pm AEST<br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><a href="mailto:hostmaster@coccaregistry.org" class="">hostmaster@coccaregistry.org</a><br class=""></span></div><br class=""><div class=""><div class="">Why is <a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a> returning REFUSED to DNSKEY queries?<br class="">Also why is it echoing back EDNS options when returning REFUSED?<br class="">Also why is AD=1 in the REFUSED response?<br class="">Also why is AA=1 in the REFUSED response?<br class=""><br class="">% dig dnskey af. @185.17.236.111<br class=""><br class="">; <<>> DiG 9.15.0-dev <<>> dnskey af. @185.17.236.111<br class="">;; global options: +cmd<br class="">;; Got answer:<br class="">;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16189<br class="">;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br class="">;; WARNING: recursion requested but not available<br class=""><br class="">;; OPT PSEUDOSECTION:<br class="">; EDNS: version: 0, flags:; udp: 4096<br class="">; COOKIE: b1626ff99509b9bf (echoed)<br class="">;; QUESTION SECTION:<br class="">;af.<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>DNSKEY<br class=""><br class="">;; Query time: 316 msec<br class="">;; SERVER: 185.17.236.111#53(185.17.236.111)<br class="">;; WHEN: Mon Apr 08 14:12:00 AEST 2019<br class="">;; MSG SIZE rcvd: 43<br class=""><br class="">%<br class=""><br class="">af. @185.17.236.111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused<br class="">af. @2a03:dd40:3::111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused<br class="">kn. @185.17.236.111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused<br class="">kn. @2a03:dd40:3::111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused<br class="">ms. @185.17.236.111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused<br class="">ms. @2a03:dd40:3::111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused<br class="">sb. @185.17.236.111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused<br class="">sb. @2a03:dd40:3::111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused<br class="">tl. @185.17.236.111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused<br class="">tl. @2a03:dd40:3::111 (<a href="http://ns.coccaregistry.org" class="">ns.coccaregistry.org</a>.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused<br class="">-- <br class="">Mark Andrews, ISC<br class="">1 Seymour St., Dundas Valley, NSW 2117, Australia<br class="">PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" class="">marka@isc.org</a><br class=""><br class=""></div></div></blockquote></div><br class=""><div class="">
-- <br class="">Mark Andrews, ISC<br class="">1 Seymour St., Dundas Valley, NSW 2117, Australia<br class="">PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" class="">marka@isc.org</a>
</div>
<br class=""></div></body></html>