Yep. Look for an upgrade then file a bug report if not fixed by the upgrade.
It should be < 10 minutes work to fix + tests etc.
--
Mark Andrews
> On 16 Mar 2024, at 05:18, Bjørn Mork wrote:
> Dennis Burgess writes:
>
>> Looks like Bjorn was correct, one two many signatures ☹ Removed one
>
Dennis Burgess writes:
> Looks like Bjorn was correct, one two many signatures ☹ Removed one
> and its all fixed! Thanks too all that replied!!
Glad to hear that. But do note that Mark is right, of course. The real
problem is a bug in your name server. What you have now is a workaround
as so
Looks like Bjorn was correct, one two many signatures ☹ Removed one and its
all fixed! Thanks too all that replied!!
-Original Message-
From: Bjørn Mork
Sent: Friday, March 15, 2024 12:59 PM
To: Dennis Burgess via NANOG
Cc: Dennis Burgess
Subject: Re: DNSSEC & WIldcards
L
Wildcards and DNSSEC work fine as long as the nameserver vendor has not stuffed
up. Too many vendors play fast and loose with the DNS protocol. Getting this
correct is not hard but you do need to test before shipping. Additionally OS
vendors tend to be way behind current releases from the name
Looks like your DNS server correctly queues up the RRs, but erronously
believes it can drop data from the Authority section without setting the
TC bit.
Reducing the bufsize so the answer doesn't fit makes trucation work:
bjorn@miraculix:~$ dig a www.app.linktechs.net. +dnssec +multiline +norecur
The authority section is the correct section for the NSEC.
Ask the question using TCP. I suspect that the server isn’t truncating the UDP
response correctly. If I’m right you will get RRSIGs for the NSEC added to the
additional section. If not the zone needs to be resigned as they are missing
Matthew Pounsett writes:
> But, right off the top I can see that your name server is returning the
> NSEC record in the wrong section of the response.
No, the Authority section is correct here. See:
https://datatracker.ietf.org/doc/html/rfc4035#section-3.1.3.3
But the RRSIG is missing.
Bjørn
On Fri, Mar 15, 2024 at 11:26 AM Dennis Burgess via NANOG
wrote:
> So have *.app.linktechs.net that I have been trying to get to work, we
> have DNSSEC on this, and its failing, but cannot for the life of me
> understand why. I think it may have something to do with proving it exists
> as a wild
Dennis Burgess via NANOG writes:
> So have *.app.linktechs.net that I have been trying to get to work, we
> have DNSSEC on this, and its failing, but cannot for the life of me
> understand why. I think it may have something to do with proving it
> exists as a wildcard, but any DNSSEC experts wan
It appears that Niels Bakker said:
>* nanog@nanog.org (Dennis Burgess via NANOG) [Fri 15 Mar 2024, 16:26 CET]:
>>So have *.app.linktechs.net that I have been trying to get to work,
>>we have DNSSEC on this, and its failing, but cannot for the life of
>>me understand why. I think it may have som
* nanog@nanog.org (Dennis Burgess via NANOG) [Fri 15 Mar 2024, 16:26 CET]:
So have *.app.linktechs.net that I have been trying to get to work,
we have DNSSEC on this, and its failing, but cannot for the life of
me understand why. I think it may have something to do with proving
it exists as a
So have *.app.linktechs.net that I have been trying to get to work, we have
DNSSEC on this, and its failing, but cannot for the life of me understand why.
I think it may have something to do with proving it exists as a wildcard, but
any DNSSEC experts want to take a stab at it ?
Dennis Burges
12 matches
Mail list logo
