On Mon, Jun 19, 2023 at 10:23:13PM -0400,
Viktor Dukhovni wrote
a message of 66 lines which said:
> The .GL TLD returns bogus NXDOMAIN responses to DS queries for:
But it replies properly for NSEC3PARAM :-)
% dig +dnssec @d.nic.gl NSEC3PARAM com.gl
; <<>> DiG 9.18.12-1-Debian <<>> +dnssec
Yes, that too. There’s a bit of a laundry-list.
-Bill
> On Jun 20, 2023, at 8:47 AM, Mark Andrews wrote:
>
> Isn’t it more not copying the NS records into the GL zone so that the signer
> will generate the correct NSEC3 chain?
> You could get away with missing this step
Isn’t it more not copying the NS records into the GL zone so that the signer
will generate the correct NSEC3 chain?
You could get away with missing this step pre-DNSSEC if parent and child where
served by the same set of servers but
not now that DNSSEC exists and especially if the parent is
Yes, the second-levels have been broken since the middle of last October.
CentralNIC unexpectedly created new delegation points for the second-level
domains, but has not yet copied the DS records down from the parent, nor
created new ones of their own. We remind them of the issue
The .GL TLD returns bogus NXDOMAIN responses to DS queries for:
com.gl. IN DS ? ; NXDomain https://dnsviz.net/d/com.gl/ZJEMOQ/dnssec/
gl. IN SOA a.nuuk.nic.gl. gl-ad...@tele.gl. 2022119284 900 1800 6048000 3600
gl. IN RRSIG SOA 8 1 900 2023070505 2023061805 39306 gl. [...]