> On Mar 11, 2021, at 4:54 PM, Simon Arlott via dns-operations
> wrote:
>
> On 11/03/2021 23:36, Casey Deccio wrote:
>> Oh, I see now. The actual delegation is missing completely, as far as I can
>> tell.
>>
>> $ dig +short @ns1.dla.mil gtm-ext.dla.mil a
>> $ dig +short @ns1.dla.mil
--- Begin Message ---
On 11/03/2021 23:36, Casey Deccio wrote:
> Oh, I see now. The actual delegation is missing completely, as far as I can
> tell.
>
> $ dig +short @ns1.dla.mil gtm-ext.dla.mil a
> $ dig +short @ns1.dla.mil gtm-ext.dla.mil
> $ dig +short @ns1.dla.mil gtm-ext.dla.mil ns
Hi Peter!
> On Mar 11, 2021, at 11:54 AM, Peter van Dijk
> wrote:
>
>>
>> That's a fair point. *Normally* the error would be something more like: "No
>> RRSIGs were found covering the RRset". But in this case, there *was* an
>> RRSIG, so it didn't get *that* error. DNSViz used to
--- Begin Message ---
I've reached out and discussed this issue to persons who manage dla.mil. They
are looking into this.
v/r,
Ryan Stephenson
Defense Information Systems Agency
DoD NIC IE721
COM: 614-692-5284 | DSN: 312-850-5284
UE: ryan.m.stephenson2@mail.mil
CE:
Hello Casey,
On Thu, 2021-03-11 at 09:58 -0700, Casey Deccio wrote:
> > On Mar 11, 2021, at 2:59 AM, Peter van Dijk
> > wrote:
> >
> > On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
> > > That actually looks fine to me - DS is signed by parent (dla.mil),
> > > DNSKEY is signed by
> On Mar 11, 2021, at 2:59 AM, Peter van Dijk
> wrote:
>
> On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
>>
>> That actually looks fine to me - DS is signed by parent (dla.mil),
>> DNSKEY is signed by child (gtm-ext.dla.mil).
>
> This means that the error reported by DNSViz:
>
On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
>
> That actually looks fine to me - DS is signed by parent (dla.mil),
> DNSKEY is signed by child (gtm-ext.dla.mil).
This means that the error reported by DNSViz:
RRSIG quicksearch.gtm-ext.dla.mil/A alg 8, id 29085: The Signer's Name
On 3/11/21 9:21 AM, Matthijs Mekking wrote:
which apparently has a DS at the apex of the child zone, which is
somewhere between 'useless' and 'wrong'.
It is more wrong than useless: From RFC 4035:
All DS RRsets in a zone MUST be signed, and DS
RRsets MUST NOT appear at a zone's apex.
On Thu, 2021-03-11 at 03:38 -0500, Viktor Dukhovni wrote:
>
> > Also visible on DNSViz
> > https://dnsviz.net/d/quicksearch.gtm-ext.dla.mil/dnssec/
>
> Somehow the subdomain as served by the parent's nameservers ended up
> with its own separate DNSKEYs and a DS RRset owned by the subdomain,
>
On 11.03.21 09:38, Viktor Dukhovni wrote:
> dla.mil. IN SOA eagleib1.ad.dla.mil. gregory.wea...@dla.mil. ...
Thank you! I accidentally wrote to greg...@weaver.dla.mil which failed
of course. Sent again now.
___
dns-operations mailing list
On Thu, Mar 11, 2021 at 08:52:37AM +0100, Winfried Angele wrote:
> Hello list,
>
> the zone gtm-ext.dla.mil validates as Bogus. For instance:
The containing zone is dla.mil, with no delegation for this
subdomain. Its SOA is:
dla.mil. IN SOA eagleib1.ad.dla.mil. gregory.wea...@dla.mil.
On 10-03-2021 20:29, Peter van Dijk wrote:
On Wed, 2021-03-10 at 16:44 +, Matthew Richardson wrote:
9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se: type NSEC3, class IN
Name: 9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se
Which is the NSEC3 hash of 'prv.se.',
Type:
Hello list,
the zone gtm-ext.dla.mil validates as Bogus. For instance:
$ dig @127.1 quicksearch.gtm-ext.dla.mil
; <<>> DiG 9.16.11 <<>> @127.1 -p 531 quicksearch.gtm-ext.dla.mil
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24384
13 matches
Mail list logo