Ticket ID: SIXXS #9052558 Ticket Status: Won't fix PoP: dkcph01 - Availo (Copenhagen)
DNSSEC delegation stops at 8.d.6.1.1.0.0.2.ip6.arpa
Shadow Hawkins on Saturday, 23 March 2013 14:37:42
I've been trying to verify my DNSSEC delegation for reverse lookups. However, it complains that the delegation chain stops higher up in the chain (at 2001:16d8) than my prefix. This is the relevant output of drill:
$ drill -T -k /etc/trusted-key.key -t PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.a.0.d.d.8.d.6.1.1.0.0.2.ip6.arpa
... snip ...
[T] 6.1.1.0.0.2.ip6.arpa. 86400 IN DS 53377 5 1 4313f41828db45e169f3b73fe5f242d7577eb45a
6.1.1.0.0.2.ip6.arpa. 86400 IN DS 53377 5 2 dfac3cbd259c80cd3af2e2ebe1cefc5557f7e0ec4ba849d82d219cba51536283
[T] Existence denied: 2.ip6.arpa. NS
;; There is an empty non-terminal here, continue
[T] Existence denied: 0.2.ip6.arpa. NS
;; There is an empty non-terminal here, continue
[T] Existence denied: 0.0.2.ip6.arpa. NS
;; There is an empty non-terminal here, continue
[T] Existence denied: 1.0.0.2.ip6.arpa. NS
;; There is an empty non-terminal here, continue
[T] Existence denied: 1.1.0.0.2.ip6.arpa. NS
;; There is an empty non-terminal here, continue
;; Domain: 6.1.1.0.0.2.ip6.arpa.
[T] 6.1.1.0.0.2.ip6.arpa. 3600 IN DNSKEY 257 3 5 ;{id = 48796 (ksk), size = 2048b}
6.1.1.0.0.2.ip6.arpa. 3600 IN DNSKEY 256 3 5 ;{id = 18430 (zsk), size = 1024b}
6.1.1.0.0.2.ip6.arpa. 3600 IN DNSKEY 256 3 5 ;{id = 22372 (zsk), size = 1024b}
6.1.1.0.0.2.ip6.arpa. 3600 IN DNSKEY 257 3 5 ;{id = 53377 (ksk), size = 2048b}
[T] Existence denied: d.6.1.1.0.0.2.ip6.arpa. DS
;; No ds record for delegation
[T] Existence denied: d.6.1.1.0.0.2.ip6.arpa. NS
;; There is an empty non-terminal here, continue
;; Domain: 8.d.6.1.1.0.0.2.ip6.arpa.
;; No DNSKEY record found for 8.d.6.1.1.0.0.2.ip6.arpa.
;; No DS for d.8.d.6.1.1.0.0.2.ip6.arpa.;; No ds record for delegation
[B] ;; Error verifying denial of existence for name d.8.d.6.1.1.0.0.2.ip6.arpa.NS: No DNSSEC signature(s)
Am I missing something, or is the DNSSEC delegation really missing? And in the latter case, any plans to fix that? :)
Thanks,
-Toke
DNSSEC delegation stops at 8.d.6.1.1.0.0.2.ip6.arpa
Jeroen Massar on Saturday, 23 March 2013 20:05:00
As stated in the FAQ you need to use DLV.
Posting is only allowed when you are logged in. |