There's a validated insecure delegation from treasury.gov to fiscal.treasury.gov.
I can't say why any RRSIGs or other DNSSEC records are being returned for queries for records in fiscal.treasury.gov, however those records are spurious. As DNSVIZ does show, the delegation from the last secure zone, treasury.gov, to fiscal.treasury.gov is insecure. And thus the subsequent delegation from fiscal.treasury.gov to igt.fiscal.treasury.gov is also insecure. Once the chain of trust is properly broken and the status moves to insecure, everything below that point is also insecure. DNSVIZ is attempting to make some sense of the spurious DNSSEC records and show what the state would be if there weren't an insecure delegation at treasury.gov. Or at least that's my guess at what it's doing. I haven't found any public resolver or other implemented validator that doesn't properly validate qa.ws.igt.fiscal.treasury.gov as insecure. Scott On Tue, Oct 18, 2022, 15:35 Casey Deccio <ca...@deccio.net> wrote: > > On Oct 18, 2022, at 1:58 PM, Mark Andrews <ma...@isc.org> wrote: > > > > Not for DS as it is part of the parent zone. > > > > Right. What I meant (but didn't say) was this: > > The following is a query for testing for the presence of a DS record in > the igt.fiscal.treasury.gov zone. The signer for the records in the > response should be the parent zone of igt.fiscal.treasury.gov, which is > fiscal.treasury.gov. However, the the signer for the records in the > observed response is treasury.gov. >
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations