> On Oct 18, 2022, at 12:02 AM, Viktor Dukhovni <[email protected]> wrote:
>
> On Mon, Oct 17, 2022 at 09:52:43PM -0700, [email protected] wrote:
>
>> Having some problems resolving qa.ws.igt.fiscal.treasury.gov. There is
>> pretty clearly a problem,
>>
>> https://dnsviz.net/d/qa.ws.igt.fiscal.treasury.gov/dnssec/
>
> DNSViz struggles to display this properly, because the same underlying
> nameservers serve both the parent and child zone, and instead of
> referrals serves authoritative data from the child. However, the
> parent zone is signed, and the child zone is not. A resolver
> expecting signed answers from the parent sees unsigned answers
> instead and is liable to get confused.
The one clear issue that I see here is that the signer field in RRSIGs in
responses from fiscal.treasury.gov is treasury.gov:
$ dig +dnssec @ns1.treasury.gov igt.fiscal.treasury.gov ds | awk '$4 == "RRSIG"
{ print $12 }'
treasury.gov.
treasury.gov.
Because there is a zone cut at fiscal.treasury.gov, the the signer should be
fiscal.treasury.gov. That being said, I can't tell at-a-glance why DNSViz is
drawing ZSK 3908 in the fiscal.treasury.gov zone, rather than in the
treasury.gov zone.
Casey
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
