Re: [dns-operations] DNSSEC at ICANN: still no check?

Mon, 20 Jan 2014 08:26:58 -0800 

I don’t understand the problem. Do you expect nic.red to be dnssec-signed?

Roy

On 20 Jan 2014, at 16:10, Stephane Bortzmeyer <[email protected]> wrote:

> .red and .rich both have a nic.$TLD which is unsigned. The lack of DS
> is not validated, since only one NSEC3 is returned. It seems similar
> to the problem of .онлайн / .xn--80asehdb three months ago.
> 
> % dig SOA nic.red
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52972
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red.             IN SOA
> 
> ;; Query time: 879 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 20 17:09:05 2014
> ;; MSG SIZE  rcvd: 36
> 
> % dig DS nic.red     
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> DS nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34835
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red.             IN DS
> 
> ;; AUTHORITY SECTION:
> red.                  82 IN SOA a0.nic.red. noc.afilias-nst.info. (
>                               1000000061 ; serial
>                               10800      ; refresh (3 hours)
>                               3600       ; retry (1 hour)
>                               2764800    ; expire (4 weeks 4 days)
>                               900        ; minimum (15 minutes)
>                               )
> red.                  82 IN RRSIG SOA 7 1 86400 20140210022600 (
>                               20140120012600 31835 red.
>                               U4a3e+kX3o8kRxqulzS+RdEplbqg4ZwqT98q3NgGZUVY
>                               jaYoO9xu4jJ9ynIMb+v0BkhfrOeFIwKFt7KL8s8qKSbi
>                               FVJRFliCCSDJF7A+KKI96DltInT7D26XaIxPQQVnj/F6
>                               G2MFJ/SKn5Iy4X8KENPNK9H9TuygMZSdiCxMA8U= )
> 4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN RRSIG NSEC3 7 2 900 
> 20140210022600 (
>                               20140120012600 31835 red.
>                               Px2DkjVJsutn2Xu/Hzf2h1VCseQdURaAqdLNHp3OYzMd
>                               c4koecXH/yWeqSv9w9UhJWd2ksxTihkjoq3nz7GezL03
>                               1E5XgReyte0JYNlILdTUOD8CJmsN+/hPYGSX16NeWnn9
>                               poGcDOmoAPUn0x4ywlR7lAHEITPlDXxV3p8am+A= )
> 4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN NSEC3 1 1 1 D399EAAB 
> 6EIVIDT04UJLNSB9HA6K5QRIKLTRRA49
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 20 17:09:26 2014
> ;; MSG SIZE  rcvd: 496
> 
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Reply via email to