> On 6 Oct 2020, at 23:14, Shumon Huque <[email protected]> wrote: > > On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews <[email protected]> wrote: > > On 6 Oct 2020, at 13:18, Paul Vixie <[email protected]> wrote: > > > > ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec > > "bogus") > > > > • 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs > > made by a key corresponding to a DS RR were found covering the DNSKEY > > RRset, resulting in no secure entry point (SEP) into the zone. > > (68.87.68.244, 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103, > > 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, > > 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, > > 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K) > > I have no idea why DNSVIZ is reporting this NSEC record (?) given there is a > DS RRset. The covering NSEC record for 9.5.5.0.1.0.0.2.ip6.arpa that would > prove the non existence of the DS RRset if it didn’t exist is > 9.5.5.0.1.0.0.2.ip6.arpa. I suspect a DNSVIZ bug here. > > Sorry Mark - where do you see dnsviz complaining about an NSEC record?
If it was a DS record I would expect the message to say 9.5.5.0.1.0.0.2.ip6.arpa (not 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa) which feels more like a NSEC than a DS. It’s not actually clear what RRset it is referring to. > This error message says that no "valid" DNSKEY RRSIGs made by a key matching > the DS RRset were found -- which is a correct diagnosis. No NSEC records are > involved in that determination. > > As you've already pointed out, DNSKEY with keytag 47242 has an expired > signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature but > that does not match the DS set (it also doesn't have the advisory SEP flag, > so was likely not intended to be used as a secure entry point). > > Shumon. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
