Ticket ID: SIXXS #3168373 Ticket Status: Resolved PoP: (not applicable)
DNSSEC issue with 0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa -- missing delegation in parent zone?
Shadow Hawkins on Tuesday, 07 December 2010 16:05:50
Hi,
Just to let you know in case noone has noticed this so far.
Zone 0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa is not signed while its parent zone 9.0.8.f.6.0.1.0.0.2.ip6.arpa is signed, and a query for the child zone's DS record does not return the expected "insecure delegation" proof.
$ dig @ns1.sixxs.net +norec +dnssec 0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa ds
; <<>> DiG 9.7.2-P2-RedHat-9.7.2-3.P2.j1.fc14 <<>> @ns1.sixxs.net +norec +dnssec 0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa ds
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25058
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa. IN DS
;; AUTHORITY SECTION:
9.0.8.f.6.0.1.0.0.2.ip6.arpa. 604800 IN SOA localhost. hostmaster.sixxs.net. 2010113002 10800 3600 2419200 604800
9.0.8.f.6.0.1.0.0.2.ip6.arpa. 604800 IN RRSIG SOA ...
9.0.8.f.6.0.1.0.0.2.ip6.arpa. 604800 IN NSEC 1.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa. NS SOA TXT RRSIG NSEC DNSKEY
9.0.8.f.6.0.1.0.0.2.ip6.arpa. 604800 IN RRSIG NSEC ...
The NSEC record returned indicates that the child zone does not exist at all within the parent zone, while the correct reply would be an NSEC record showing the child zone exists but does not have a DS record.
My guess is that the parent zone is missing the delegation entry for the child zone. (Which will likely go unnoticed as long as one doesn't use a validating resolver, as both zones have the same nameservers anyway.)
Regards,
Jan
State change: resolved
Jeroen Massar on Tuesday, 07 December 2010 16:13:54
The state of this ticket has been changed to resolved
DNSSEC issue with 0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa -- missing delegation in parent zone?
Jeroen Massar on Tuesday, 07 December 2010 16:20:41
Good catch and thanks for reporing.
The delegation has been re-added (it should have been there...) zone re-signed and thus the problem is resolved.
Posting is only allowed when you are logged in. |