Hi Ondrej, The issue is not that DS but the other SHA2 DS that makes all the SHA1 DSes irrelevant.
Also, partial rrsets are something unbound doesn't do, but parent-child disagreements on the delegation glue are very common. Extreme leniency stuff. Best regards, Wouter On 10/04/17 14:48, Ondřej Surý wrote: > Wouter, > > are you sure about the BOGUS status? I see (stripped down to minimum): > > 1. at the parent: > > $ kdig +multi +dnssec IN NS lkpp.go.id. @b.dns.id. > > KSK 31653 > > lkpp.go.id. 43200 IN DS 31653 7 1 ( > 1DD2E4B3643C20097ECE57ECC1F36B8EFBBE303B > ) > > 2. at the child: > > $ kdig +multi +dnssec IN DNSKEY lkpp.go.id. @ns1.lkpp.go.id. > > KSK 31653 > > lkpp.go.id. 604800 IN DNSKEY 257 3 7 ( > AwEAAc4geZlrl3lZHie+wgyVayHtQ/KX1LSLZ6FsfPUO > lHFsqHFV9osTQ+v9PR++SVPfU8cQZgmWeWsLut7JDqgX > WRSt1833y8Q80HCB67RLRNoyktFkVrhGh2/1qL+bPvJW > RdZjufqmvYMPpLJ+g8U1hx1JdsTOwSmEKuxGPlSJJft2 > crQBIN/XRi6MEDE8tGdw3SnwkgocVmTRJteO2V+uLRpK > HN0WJYD7R7CGI0INoWbI2rsAgZr4hvbCQ3J0BToVoWue > 2UbPbACaZgmJXx1FPOC4bHKDzLVtLi62k/L1a/AJwp9E > Zo7x5F7yCNQg6XUudxI+Nl7jJ5d12mJnQLsOFqUt48/R > UKV0Fm1hl6lka6DiogwqA+7iTcaGknRoIXXjZ2p/D7vf > i4vQGgmVV42POvrOi7rffhzbQEpiA7Vqx597cP8yCfbL > 5cpWFZncxkkLgp92u3D2MWxtdE9aFcuP58xPbnO6mvKq > RrdnXzY4o2XbTtV4WlhJ69VzDoVeMm6p67R4R2cdqDZq > LkdrbLU29nj3fVkrMK+9IswIfVJl/DOEHzCCye8brlce > HF+vqNOb0g6OHj6S86aKtfKgl6DhiBFoaMneNSAFtca4 > yVhCMngZOfiWTnxTPqWE0VHu8QrnNL7M2AjZXrZFweLl > AKvoYkUCb7HoOI+FASbZm3+0mkYx > ) ; KSK; alg = NSEC3RSASHA1; key id = > 31653 > > and > > lkpp.go.id. 604800 IN RRSIG DNSKEY 7 3 604800 ( > 20170428022332 20170329022332 31653 > lkpp.go.id. > iAMSKEUwNHmjqCRBygXeqvK2+kYAOGhHd1ZdTFkZeQDv > D5/AmgfVASEpeso9kQ3Y/YRC8NBQ5JDFT/B3DFB26y9y > FKBgLLsIrOjLNw7286FikQGtp4ZIGJmxgSbClaZsMnBA > YS0vMu4uY42pOQ8C4gDMav94g1au+CU9w4QpBKDS8xtb > 6f+1B+yc3eodXdzS/iyKJYrpqPVRlOnAFGlJuxLXQxNJ > GgC2ZvxmITARjfwDPROvo9zx9BoSKKnN1EV+sFqY0/xY > j9OO8Q2CcQFRRuwHO4UO4or2aa1xn8lle7yhQAG46pbB > 74rFHU7Tyd5tfLNs0wD+gLTC27xw2kXRIJixgLM3bHOr > nREuAjeokP0KulNe/TvfTiUVD+jcdDRsdTcBOZRyDOQy > 4Ke6pFp0jgQXXcwdRYnq39G6z+hdWuAmdN9ejnSg2R5N > o7CF/Kh+uL5E+tlkEZAdW5i94FDSxrmlnbqLNwD+Bc4Z > kwR8Rq7d4x2o1p5SjS8/v+vvsOUOVWN99Lnk9w7NwLfc > pwn83kN5a91jkcu1lcgR+Dr+l2WVUlqWSgTIwfIKQ8A5 > y2PzaQCXZ1nCK5iexoYOl1zIgps4pM0WenAviFjHWgAE > med75qM7rwLZqqZpRBBOB3VaaHqYFQohm8f3sVLN1n+O > T6kkCOkeGsO+Saaht2SHHoU= ) > > ZSK 15284 > > lkpp.go.id. 604800 IN DNSKEY 256 3 7 ( > AwEAAdX16LDm+07IAtsXv+bf2HHO5S+jngvxcpay > 9awjHYtoy2tAPrjWWabRm8ymSO3wStqH6YY9xNiJ > sKF8t+BXBenV4TQgbFO/FuioTZwTex4t3dJf01Ss > auhidhoVVrPzkAOHOstHCjuIIxwH8DaGMncn7tx/ > lF4+S3Joi8CwceBWrwbdA0IWq7e7WG5Z/w4pK96E > y4bpFDeY737EkBhPGiI5KAW5mD9eMkz7PZPss3vy > 5oC863I+XcD1RyaCv+Yljq1ZLLvgfpN8fCkokAYM > QXxBK0PW0M4UPUTRbLatCHfxRawXpkg+bE/06bm/ > QrgbwYoDCiOjvkasZUJ/Vdavr4M= > ) ; ZSK, RSASHA1_NSEC3_SHA1 (2048b), id > = 15284 > > > $ kdig +multi +dnssec IN A lkpp.go.id. @ns1.lkpp.go.id. > > > lkpp.go.id. 604800 IN A 103.206.244.234 > lkpp.go.id. 604800 IN RRSIG A 7 3 604800 20170428022332 ( > 20170329022332 15284 lkpp.go.id. > FfCuaRXD14lOhnTQgL1g3DjUXo/OFLrhn9Y1x+9Q > NWXniZgdiKhubf53ZxV8+xVYiBWvGGq0imcFoyzt > 98Uv8DrT9iHP4a6aZgE45Z1DXX6UE7u4x0CYeZd7 > g9JeV2s4jNWR1rYyln+DsbTBY5qLWNStaA71gvsn > w29Pk34ssV6AP38i9OHD7bk39CY6ClOlvVtd+8Uh > cZXAeWOr4BI+aCuJw5EYBte9GrlbBVD4z20Aw4/1 > KBK9jitG0Ty5SJz/1gJPDwAzIN6SLMNLzGNEjGz9 > cRsaPmlLBIOXwVC9MlTdR0GeYDTLzOZRRSviv/2u > Dglyc3eRIjofg/O8A6yzkQ== > ) > > And Verisign's DNSSEC Debugger also seems to disagree with DNSViz: > > http://dnssec-debugger.verisignlabs.com/lkpp.go.id > > O. >
signature.asc
Description: OpenPGP digital signature
