And has anyone reported this to them? > On 11 Mar 2021, at 09:37, Mark Andrews <ma...@isc.org> wrote: > > So who is correctly rejecting DS at top of zone at load time? There is no way > to query for this RRset. > >> On 11 Mar 2021, at 06:29, Peter van Dijk <peter.van.d...@powerdns.com> wrote: >> >> On Wed, 2021-03-10 at 16:44 +0000, Matthew Richardson wrote: >>> 9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se: type NSEC3, class IN >>>> Name: 9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se >> >> Which is the NSEC3 hash of 'prv.se.', >> >>>> Type: NSEC3 (50) >>>> Class: IN (0x0001) >>>> Time to live: 3600 >>>> Data length: 43 >>>> Hash algorithm: SHA-1 (1) >>>> NSEC3 flags: 0 >>>> .... ...0 = NSEC3 Opt-out flag: Additional insecure >>>> delegations forbidden >>>> NSEC3 iterations: 50 >>>> Salt length: 8 >>>> Salt value: 33e9285ab62c0803 >>>> Hash length: 20 >>>> Next hashed owner: 4f848f41f3884a3fc412e821e031cdd8b9a48eca >>>> RR type in bit map: A (Host Address) >>>> RR type in bit map: NS (authoritative Name Server) >>>> RR type in bit map: SOA (Start Of a zone of Authority) >>>> RR type in bit map: MX (Mail eXchange) >>>> RR type in bit map: TXT (Text strings) >>>> RR type in bit map: DS(Delegation Signer) >> >> which apparently has a DS at the apex of the child zone, which is >> somewhere between 'useless' and 'wrong'. >> >>>> RR type in bit map: RRSIG >>>> RR type in bit map: DNSKEY >>>> RR type in bit map: NSEC3PARAM >> >> Combined with >> >>> 10-Mar-2021 16:20:11.606 dnssec: info: validating _dmarc.prv.se/TXT: >> bad cache hit (_dmarc.prv.se/DS) >> >> My vague suspicion is that BIND is flagging this as an impossible >> situation, because a DS should live in the parent, and only in the >> parent. >> >> I recall isc.org 'recently' had a DS at the apex of the child zone; I >> wonder if after ISC removed that, they made BIND, as a validator, >> stricter about it when detected. >> >> Kind regards, >> -- >> Peter van Dijk >> PowerDNS.COM BV - https://www.powerdns.com/ >> >> _______________________________________________ >> dns-operations mailing list >> dns-operations@lists.dns-oarc.net >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations