Why are you complaining to ARIN (5.0.1.0.0.2.ip6.arpa) when this is Comcast's (9.5.5.0.1.0.0.2.ip6.arpa) fault?
If Comcast don’t re-sign their zone properly things break. Note the signature for DNSKEY(47242) is out of date. 9.5.5.0.1.0.0.2.ip6.arpa. 3579 IN DNSKEY 257 3 5 AwEAAcaqTpoScNc8eSX3L0Khdntzs5+PG+740QK2IWleEl5rd6O7NXLE 8kIpNdP7Vj+251B3CWZdtwjRJghdJhNiRIJMotI6D/XZQ29i0gg2cYT6 SPeXiwe7qp2+Gi9L5WnFdPsKspWW8AXNdIRTaZtEEs6IRP2LeN+dwc4V cehqe+I54Ypg3/z8a7pRN0E5E/1g5UAnLZEeTyj6oksSTytUHZ7GenKY kFJZjXR1eheMCl49ck9UX2lQaJf3m5GuXvmPETfv7OdQU2OfT7AukbHj 4+QjDxsnf/q4AE/o8sIWm0k8AedlnG2gUex7rAWYsyZmpPi6UEbctyjf eMAoBrCoUNU= ; KSK; alg = RSASHA1 ; key id = 47242 9.5.5.0.1.0.0.2.ip6.arpa. 3579 IN DNSKEY 256 3 5 AwEAAd2YrNVKQSCOywdo+x+2YW2oTtCKCh4XArHGADnWu9gXcnjPEIxl J0dM3+aPAU/x8FtVB0WQasF7+7kHsuvRAuMqGnEg6jxnWRcbnMGd8Tob phl7bsY4wIIGX99SAGCoSdY4eszvvpfcppxT8AFi8NbqQgWNpnMcHCPp SRv2j359 ; ZSK; alg = RSASHA1 ; key id = 30705 9.5.5.0.1.0.0.2.ip6.arpa. 3579 IN RRSIG DNSKEY 5 10 3600 20200509174432 20200110134432 47242 9.5.5.0.1.0.0.2.ip6.arpa. YVnmkYciYb1i8v7jkAzPFC5ue1+jRHdyMCuosFGf7n+6Su0yW9bTDXH5 W7xSZ3Ndike4DDRWO1+Ba8HjxBSD/r7eeXz4jui3FAuUXpT46a1rDa/P /LwnfKi5x6I/cNn4bBBqDwVyOzE6136zw3r59mcChSOGAsZAF9hsJzz2 yOZpYiSbgDWO/HM/anD5miCTqljPtMPtgRJiPI+nzBpra8mKJTk0Eg9J dmMwG6zuOhRJj5ImSXNPHonMJCKclVAfRZCocVtApzcAeQF0IrEa8yXR wdNt+zvhvVTd/fjWcgpj7oV64VHBuDAL51zjU2l5jC0qeG1fxrIrBTB5 2djygw== 9.5.5.0.1.0.0.2.ip6.arpa. 3579 IN RRSIG DNSKEY 5 10 3600 20201009204432 20201002173932 30705 9.5.5.0.1.0.0.2.ip6.arpa. wqJEB/SLUKDwlMuNZ9huG9809BCHMFcEh0USglWs0ErIJ6NEt2NFIVhP m3uYEWGm2e6t7LaMsuDO4i7gZstO7ONgVoqDSXKBwXwJH+UocASK1JpW f9ndqTnF2zdcnC2MjT5wbD1qZa/AhKq1TRztc4oXmF9sLIfSIdkZ94m9 1YU= ARIN has the correct DS records. Note the key id matched that of the KSK DNSKEY and the contents of the DS algorithms I checked are correct. 9.5.5.0.1.0.0.2.ip6.arpa. 1581 IN DS 47242 5 4 478AED83E09ED912C1B7098BFE30EBB26F4E42F7641ED74CC9FF0A68 B70F7BECFD6FD635600FA66A3D69F424AFF0F865 9.5.5.0.1.0.0.2.ip6.arpa. 1581 IN DS 47242 5 2 51AF515ACB12A7FC94BCEB3E061363ED6F917B6798F88A88697B5D72 4DC131AA 9.5.5.0.1.0.0.2.ip6.arpa. 1581 IN DS 47242 5 1 F172A2C39A98C115B1ED8A14D09FE30C97B95D57 Now ARIN should be badgering Comcast to fix this as they should be checking that the delegation is correct. RFC 1034 required this sort of checking for NS records and DS records should be similar. > On 6 Oct 2020, at 13:18, Paul Vixie <vi...@fsi.io> wrote: > > ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec > "bogus") > > • 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs > made by a key corresponding to a DS RR were found covering the DNSKEY RRset, > resulting in no secure entry point (SEP) into the zone. (68.87.68.244, > 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103, > 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, > 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, > 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K) I have no idea why DNSVIZ is reporting this NSEC record (?) given there is a DS RRset. The covering NSEC record for 9.5.5.0.1.0.0.2.ip6.arpa that would prove the non existence of the DS RRset if it didn’t exist is 9.5.5.0.1.0.0.2.ip6.arpa. I suspect a DNSVIZ bug here. > • RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature > Expiration field of the RRSIG RR (2020-05-09 17:44:32+00:00) is 149 days in > the past. > • RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature > Expiration field of the RRSIG RR (2020-05-09 17:44:32+00:00) is 149 days in > the past. > > https://dnsviz.net/d/5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.c.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/ > > -- > Sent from Postbox > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
