I am preparing to enable DNSSEC validation, so I am working on alerts for failed validations, so I can see whether they are user errors (that might need negative trust anchors or other exceptions) or actual attacks.
I stumbled on "mff.cuni.cz" which has RRSIG records that expired 3 months ago, but my validating server still gives an answer and says that it is valid. Is that expected? BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version) <id:7107deb> [hostmast@ns-umd-nsbs-1 named]$ delv mff.cuni.cz @127.0.0.1 ;; validating mff.cuni.cz/DNSKEY: verify failed due to bad signature (keyid=47500): RRSIG has expired ; fully validated mff.cuni.cz. 28546 IN A 195.113.27.221 mff.cuni.cz. 28546 IN RRSIG A 13 3 28800 20200611045052 20200512043705 47500 mff.cuni.cz. ZbW+RXOvA24E+Fb0Z/M3OfMJdFD9vdRKD8nhylZSfB0fkq236lohWHGu 4A54HrqasAPkUHJd/LcoN1+k6bkAqw== [hostmast@ns-umd-nsbs-1 named]$ dig mff.cuni.cz @127.0.0.1 +adflag ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> mff.cuni.cz @127.0.0.1 +adflag ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17300 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mff.cuni.cz. IN A ;; ANSWER SECTION: mff.cuni.cz. 28784 IN A 195.113.27.221 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 14 09:51:53 EDT 2020 ;; MSG SIZE rcvd: 56 -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
