It helps to return the NSEC3 record that proves that the
wildcard name does not exist.

25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: in 
authvalidated
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
resuming nsecvalidate
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
looking for relevant NSEC3
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
looking for relevant NSEC3
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 
proves name does not exist: 'www.xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 
indicates potential closest encloser: 'xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 
at super-domain xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: in 
checkwildcard: *.xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
looking for relevant NSEC3
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 
at super-domain xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: in 
checkwildcard: *.xn--80aswg
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
nonexistence proof(s) not found
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
checking existence of DS at 'xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
checking existence of DS at 'www.xn--80aswg'
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
continuing validation would lead to deadlock: aborting validation
25-Oct-2013 00:36:21.420   validating @0x7fc374c8dc00: www.xn--80aswg DS: 
deadlock found (create_validator)


In message <ce8e9611.39370%[email protected]>, Dan York writes:
> On 10/24/13 9:12 AM, "Chris Thompson" <[email protected]> wrote:
> 
> 
> >At 13:01 23-10-2013, Edward Lewis wrote:
> >>My sensors show 4 new gTLDs in the last hour or so...IDN,
> >>non-ccTLD...added between 1800 and 1900 UTC.
> >
> >Not mentioned yet is that all four appeared already signed and with
> >DS records in the root zone.
> 
> Funny you should mention that... I just published a post this morning
> promoting that fact:
> 
> http://www.internetsociety.org/deploy360/blog/2013/10/4-newgtlds-launched-y
> esterday-marks-dawn-of-dnssec-from-the-start-tlds/
> 
> 
> >From a DNSSEC-advocacy point of view, this is a great step forward as all
> new domains registered under these newgTLDs will at least have the
> *option* of being secured by DNSSEC.
> 
> >But... the two Cyrillic gTLDs (xn--80asehdb & xn--80aswg) are a bit
> >broken, in that NXDOMAIN responses don't validate properly. Neither
> >dnssec-debugger.verisignlabs.com nor dnsviz.net are able to analyse
> >validations problems for NXDOMAIN responses, so I am not quite sure
> >why yet, but e.g.
> >
> >  dig +dnssec www.xn--80asehdb.
> >  dig +dnssec www.xn--80aswg.
> >
> >give SERVFAILs which can be avoided by adding the +cd option.
> 
> Hmmm... interesting.  Perhaps some work is still needed on the operational
> front there...
> 
> Dan
> 
> --
> Dan York
> Senior Content Strategist, Internet Society
> [email protected] <mailto:[email protected]>   +1-802-735-1624
> Jabber: [email protected] <mailto:[email protected]>
> Skype: danyork   http://twitter.com/danyork
> 
> http://www.internetsociety.org/deploy360/ 
> 
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Reply via email to