--- Begin Message ---
We are awake now. With some coffee and some consultation with our vendor, we
have corrected the signing issue on 9.5.5.0.1.0.0.2.ip6.arpa. Now to make sure
this doesn't happen again...
Mark
Comcast DNS
On 10/6/20, 8:31 AM, "dns-operations on behalf of Mark Andrews"
<[email protected] on behalf of [email protected]> wrote:
> On 6 Oct 2020, at 23:14, Shumon Huque <[email protected]> wrote:
>
> On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews <[email protected]> wrote:
> > On 6 Oct 2020, at 13:18, Paul Vixie <[email protected]> wrote:
> >
> > ssh gets hinky when i connect from a server whose PTR is "servfail"
(dnssec "bogus")
> >
> > • 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid
RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY
RRset, resulting in no secure entry point (SEP) into the zone. (68.87.68.244,
68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103,
2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244,
2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228,
2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)
>
> I have no idea why DNSVIZ is reporting this NSEC record (?) given there
is a DS RRset. The covering NSEC record for 9.5.5.0.1.0.0.2.ip6.arpa that
would prove the non existence of the DS RRset if it didn’t exist is
9.5.5.0.1.0.0.2.ip6.arpa. I suspect a DNSVIZ bug here.
>
> Sorry Mark - where do you see dnsviz complaining about an NSEC record?
If it was a DS record I would expect the message to say
9.5.5.0.1.0.0.2.ip6.arpa (not 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa)
which feels more like a NSEC than a DS. It’s not actually clear what RRset it
is referring to.
> This error message says that no "valid" DNSKEY RRSIGs made by a key
matching the DS RRset were found -- which is a correct diagnosis. No NSEC
records are involved in that determination.
>
> As you've already pointed out, DNSKEY with keytag 47242 has an expired
signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature but
that does not match the DS set (it also doesn't have the advisory SEP flag, so
was likely not intended to be used as a secure entry point).
>
> Shumon.
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!CQl3mcHX2A!VF4KVriouWi6zYNjZ2bOXwKJdynCmhnZREJvBPMF5wR09hofL_4rK-ElOUrm637F1gM$
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
