On Mon Aug 18 19:29:05 2014, [email protected] wrote: > Some tools (but not all) seem to be having problems resolving > <foo>.bugzilla-attachments.gnome.org. For example, the VeriSign > debugger [1] says:
Hey! I'm starting to think some of the tools out there are not validating wildcard entries correctly and the respective NSEC records. With my local unbound resolver I get: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5 ;; ANSWER SECTION: bug11111.bugzilla-attachments.gnome.org. 900 IN A 209.132.180.175 bug11111.bugzilla-attachments.gnome.org. 900 IN RRSIG A 5 3 900 20140917164443 20140818164443 40692 gnome.org. bjqGR2KuakxNa3fhgdNtOL6CNxLsyXxMG8IpKnYBB+/jH9Irjcyyhx5S +ceFEA8CcgJLOrxBDcLTUda7bH1I1tup3Ydy3qGD/rj/gQn/aSlTC/Ll m0PTFNFLSt4vl2D0Uom9Dm1LvxquEPM0OBljMYFb8QX7fXV0edqwmipB jQY= As the 'ad' flag says the record was successfully verified. The same problem was found with the *.fedorapeople.org entry for example [1] so I'm pretty much sure the issue is not with the signatures themselves but with the tools used to verify them and their problem to verify NSEC records correctly in presence of wildcard entries. Let me know if you found out more! [1] http://dnssec-debugger.verisignlabs.com/test.fedorapeople.org -- Andrea, GNOME Sysadmin GNOME Accounts Team GNOME Membership & Elections Committee Chairman ---------------------------------------------------- This message was sent via GNOME.org Request Tracker. _______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
