Isn’t it more not copying the NS records into the GL zone so that the signer will generate the correct NSEC3 chain? You could get away with missing this step pre-DNSSEC if parent and child where served by the same set of servers but not now that DNSSEC exists and especially if the parent is signed.
Mark > On 20 Jun 2023, at 16:13, Bill Woodcock <[email protected]> wrote: > > Yes, the second-levels have been broken since the middle of last October. > CentralNIC unexpectedly created new delegation points for the second-level > domains, but has not yet copied the DS records down from the parent, nor > created new ones of their own. We remind them of the issue periodically, but > no response thus far. > > -Bill > > > >> On Jun 20, 2023, at 4:23 AM, Viktor Dukhovni <[email protected]> wrote: >> >> The .GL TLD returns bogus NXDOMAIN responses to DS queries for: >> >> com.gl. IN DS ? ; NXDomain https://dnsviz.net/d/com.gl/ZJEMOQ/dnssec/ >> gl. IN SOA a.nuuk.nic.gl. [email protected]. 2022119284 900 1800 6048000 >> 3600 >> gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...] >> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b >> SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM >> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> BBTTMJM743SRPQ6J4KQDIUC73E3C1HOA.gl. IN NSEC3 1 1 10 504d114b >> BSHTF866A32E02RJ617EUE8CCP45A6V4 NS DS RRSIG >> BBTTMJM743SRPQ6J4KQDIUC73E3C1HOA.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b >> 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG >> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> >> edu.gl. IN DS ? ; NXDomain https://dnsviz.net/d/edu.gl/ZJEKYw/dnssec/ >> gl. IN SOA a.nuuk.nic.gl. [email protected]. 2022119284 900 1800 6048000 >> 3600 >> gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...] >> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b >> SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM >> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> O3DN0L28MEKMTHMNP658AQ4UUG4CDHTP.gl. IN NSEC3 1 1 10 504d114b >> OE6EUSIJCPGO9R8RG0RO7Q9TPS7L9A46 NS DS RRSIG >> O3DN0L28MEKMTHMNP658AQ4UUG4CDHTP.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b >> 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG >> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> >> org.gl. IN DS ? ; NXDomain https://dnsviz.net/d/org.gl/ZJEMkg/dnssec/ >> gl. IN SOA a.nuuk.nic.gl. [email protected]. 2022119284 900 1800 6048000 >> 3600 >> gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...] >> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b >> SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM >> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> EB30Q0MC6UJD3MIGICRL31Q4SNSIT4T7.gl. IN NSEC3 1 1 10 504d114b >> EE4KJQ89ME2PR0AOHKV4G9OACUF3367V NS DS RRSIG >> EB30Q0MC6UJD3MIGICRL31Q4SNSIT4T7.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b >> 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG >> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600 >> 20230705050000 20230618050000 39306 gl. [...] >> >> All three 2LDs exist, are delegated, have SOA records and child zones. >> >> -- >> Viktor. >> _______________________________________________ >> dns-operations mailing list >> [email protected] >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
