> On Oct 18, 2022, at 4:02 PM, Scott Morizot <tmori...@gmail.com> wrote:
>
> I can't say why any RRSIGs or other DNSSEC records are being returned for
> queries for records in fiscal.treasury.gov <http://fiscal.treasury.gov/>,
> however those records are spurious. As DNSVIZ does show, the delegation from
> the last secure zone, treasury.gov <http://treasury.gov/>, to
> fiscal.treasury.gov <http://fiscal.treasury.gov/> is insecure. And thus the
> subsequent delegation from fiscal.treasury.gov <http://fiscal.treasury.gov/>
> to igt.fiscal.treasury.gov <http://igt.fiscal.treasury.gov/> is also
> insecure. Once the chain of trust is properly broken and the status moves to
> insecure, everything below that point is also insecure.
>
> DNSVIZ is attempting to make some sense of the spurious DNSSEC records and
> show what the state would be if there weren't an insecure delegation at
> treasury.gov <http://treasury.gov/>. Or at least that's my guess at what it's
> doing.
I agree with both points. I just don't know what's going on. As it turns out,
writing a piece of software to try to visualize complex configurations is, um,
complex. I'll add it to my list. Just know that I'm a little behind... :)
Casey
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
