Not for DS as it is part of the parent zone. -- Mark Andrews
> On 19 Oct 2022, at 06:52, Casey Deccio <[email protected]> wrote: > > > >> On Oct 18, 2022, at 12:02 AM, Viktor Dukhovni <[email protected]> wrote: >> >>> On Mon, Oct 17, 2022 at 09:52:43PM -0700, [email protected] wrote: >>> >>> Having some problems resolving qa.ws.igt.fiscal.treasury.gov. There is >>> pretty clearly a problem, >>> >>> https://dnsviz.net/d/qa.ws.igt.fiscal.treasury.gov/dnssec/ >> >> DNSViz struggles to display this properly, because the same underlying >> nameservers serve both the parent and child zone, and instead of >> referrals serves authoritative data from the child. However, the >> parent zone is signed, and the child zone is not. A resolver >> expecting signed answers from the parent sees unsigned answers >> instead and is liable to get confused. > > The one clear issue that I see here is that the signer field in RRSIGs in > responses from fiscal.treasury.gov is treasury.gov: > > $ dig +dnssec @ns1.treasury.gov igt.fiscal.treasury.gov ds | awk '$4 == > "RRSIG" { print $12 }' > treasury.gov. > treasury.gov. > > Because there is a zone cut at fiscal.treasury.gov, the the signer should be > fiscal.treasury.gov. That being said, I can't tell at-a-glance why DNSViz is > drawing ZSK 3908 in the fiscal.treasury.gov zone, rather than in the > treasury.gov zone. > > Casey > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
