You are reading this message because you are a watcher of the DNS queue at GNOME.org Request Tracker.
Mon Aug 18 19:29:05 2014: Request 14466 was acted upon. Transaction: Ticket created by [email protected] Queue: DNS Subject: DNSSEC for *.bugzilla-attachments.gnome.org is wonky Owner: Nobody Requestors: [email protected] Status: new Ticket <URL: https://rt.gnome.org/Ticket/Display.html?id=14466 > --- Original message follows: -------------------------------------------------------------- Some tools (but not all) seem to be having problems resolving <foo>.bugzilla-attachments.gnome.org. For example, the VeriSign debugger [1] says: > RRSIG=40692 and DNSKEY=40692 does not verify the A RRset (RSA Verification > failed) Meanwhile, DNSViz [2] shows 'A' records as secure/existent *and* secure/nonexistent at the same time, while 'AAAA' records show up as both secure/existent and bogus/nonexistent (if you enable additional options [3]). > NSEC RRs proving non-existence of > bug734290.bugzilla-attachments.gnome.org/AAAA: > The NSEC RR(s) are insufficient to prove non-existence of > bug734290.bugzilla-attachments.gnome.org/AAAA. Unbound says "Validate: message contains bad rrsets", meanwhile, `drill -S` and `drill -TD` validate everything just fine. Interestingly, Unbound lets it through if I turn off forwarding and make it recurse itself. I think I've had this problem before. But that doesn't explain why DNSViz and VeriSign show failures... [1]: http://dnssec-debugger.verisignlabs.com/bug734290.bugzilla-attachments.gnome.org [2]: http://dnsviz.net/d/bug734290.bugzilla-attachments.gnome.org/dnssec/ [3]: http://dnsviz.net/d/bug734290.bugzilla-attachments.gnome.org/dnssec/?rr=all&a=all&ds=all&doe=on&red=on&ta=.&ta=dlv.isc.org.&tk= -- Mantas Mikulėnas <[email protected]> _______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
