On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <[email protected]> wrote: > http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.gov > > RRSIG=51869 and DNSKEY=51869 does not verify the A RRset (RSA > Verification failed) > RRSIG=54410 and DNSKEY=54410 does not verify the A RRset (RSA > Verification failed) > None of the 2 RRSIG and 4 DNSKEY records validate the A RRset > The A RRset was not signed by any keys in the chain-of-trust > > Validation for moneyfactorystore.gov succeeds, however > www.moneyfactorystore.gov fails. Came across this when a user pointed > out that it was not resolving. > > Hmm, DNSViz doesn't see any problems [1], and the DNS-OARC resolvers give an authenticated response [2]. I'm not sure about the reported RSA verification failures, but it could be that your resolver is (incorrectly) expecting a closest encloser NSEC3 record, which isn't necessary for wildcard responses, but which some older versions of BIND required it [3]. What resolver are you running?
Cheers, Casey [1] http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/ [2] https://www.dns-oarc.net/oarc/services/odvr [3] See the following thread: http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-October/005486.html
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
