Hello Casey, On Thu, 2021-03-11 at 09:58 -0700, Casey Deccio wrote: > > On Mar 11, 2021, at 2:59 AM, Peter van Dijk <[email protected]> > > wrote: > > > > On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote: > > > That actually looks fine to me - DS is signed by parent (dla.mil), > > > DNSKEY is signed by child (gtm-ext.dla.mil). > > > > This means that the error reported by DNSViz: > > > > RRSIG quicksearch.gtm-ext.dla.mil/A alg 8, id 29085: The Signer's Name > > field of the RRSIG RR (gtm-ext.dla.mil) does not match the name of the zone > > containing the RRset (dla.mil). > > > > does not seem like the right conclusion to me. > > > > (To be clear, the name does not deserve to resolve because of all the > > problems, but DNSViz is not correctly pointing to the pain I think.) > > That's a fair point. *Normally* the error would be something more like: "No > RRSIGs were found covering the RRset". But in this case, there *was* an > RRSIG, so it didn't get *that* error. DNSViz used to complain when an RRSIG > didn't align to a DNSKEY, but that was changed because sometimes there were > legitimate reasons for that (like pre-publishing RRSIGs as part of an > algorithm rollover). So all we were left with was an error about the RRSIG > itself (i.e., name didn't match).
Thank you for explaining that history. I certainly appreciate how your errors have to guess at the real world things that are happening. > Probably the "no RRSIG" error should be modified to be "no RRSIG for an > existing DNSKEY". But, in this case, the DNSKEY does exist, and a DS is pointing at it correctly, and the problems are almost unrelated to those, as far as I can see. My impression is that DNSViz is confused for the same reason a default PowerDNS Recursor gets confused on this name - conflicting facts from queries *other than* those DS and DNSKEY queries. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
