On 2024-04-25 08:55, Josh Kuo wrote:
DS = Delegation Signer, it is the record type that a signed child upload
to the parent zone. It's difficult to say for sure without more
information such as which domain name you are trying to resolve, but
looks like it is probably due to a mis-matching DS record between the
child and the parent (security lameness).
You can use tools such as
https://dnssec-analyzer.verisignlabs.com/online
<https://dnssec-analyzer.verisignlabs.com/online> to help you analyze
further. If you need to refresh your knowledge on how DNSSEC works, see
the ISC DNSSEC Guide:
https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html
<https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html>
-Josh
Hi Josh,
Thank you for your prompt reply!
In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?
Secondly, I'm still not entirely sure what the phrasing "chase DS
servers" means. I am aware of the DS RR type.
As a side-note: I believe the "lame-servers" here is a function of me
configuring QNAME minimization to "relaxed".
Thanks,
- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
