Yes, that too. There’s a bit of a laundry-list.
-Bill
> On Jun 20, 2023, at 8:47 AM, Mark Andrews <[email protected]> wrote:
>
> Isn’t it more not copying the NS records into the GL zone so that the signer
> will generate the correct NSEC3 chain?
> You could get away with missing this step pre-DNSSEC if parent and child
> where served by the same set of servers but
> not now that DNSSEC exists and especially if the parent is signed.
>
> Mark
>
>> On 20 Jun 2023, at 16:13, Bill Woodcock <[email protected]> wrote:
>>
>> Yes, the second-levels have been broken since the middle of last October.
>> CentralNIC unexpectedly created new delegation points for the second-level
>> domains, but has not yet copied the DS records down from the parent, nor
>> created new ones of their own. We remind them of the issue periodically,
>> but no response thus far.
>>
>> -Bill
>>
>>
>>
>>>> On Jun 20, 2023, at 4:23 AM, Viktor Dukhovni <[email protected]>
>>>> wrote:
>>>
>>> The .GL TLD returns bogus NXDOMAIN responses to DS queries for:
>>>
>>> com.gl. IN DS ? ; NXDomain https://dnsviz.net/d/com.gl/ZJEMOQ/dnssec/
>>> gl. IN SOA a.nuuk.nic.gl. [email protected]. 2022119284 900 1800 6048000
>>> 3600
>>> gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...]
>>> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b
>>> SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM
>>> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>> BBTTMJM743SRPQ6J4KQDIUC73E3C1HOA.gl. IN NSEC3 1 1 10 504d114b
>>> BSHTF866A32E02RJ617EUE8CCP45A6V4 NS DS RRSIG
>>> BBTTMJM743SRPQ6J4KQDIUC73E3C1HOA.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b
>>> 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG
>>> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>>
>>> edu.gl. IN DS ? ; NXDomain https://dnsviz.net/d/edu.gl/ZJEKYw/dnssec/
>>> gl. IN SOA a.nuuk.nic.gl. [email protected]. 2022119284 900 1800 6048000
>>> 3600
>>> gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...]
>>> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b
>>> SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM
>>> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>> O3DN0L28MEKMTHMNP658AQ4UUG4CDHTP.gl. IN NSEC3 1 1 10 504d114b
>>> OE6EUSIJCPGO9R8RG0RO7Q9TPS7L9A46 NS DS RRSIG
>>> O3DN0L28MEKMTHMNP658AQ4UUG4CDHTP.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b
>>> 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG
>>> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>>
>>> org.gl. IN DS ? ; NXDomain https://dnsviz.net/d/org.gl/ZJEMkg/dnssec/
>>> gl. IN SOA a.nuuk.nic.gl. [email protected]. 2022119284 900 1800 6048000
>>> 3600
>>> gl. IN RRSIG SOA 8 1 900 20230705050000 20230618050000 39306 gl. [...]
>>> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN NSEC3 1 1 10 504d114b
>>> SAGKR73F41OMFFI8TDE1CGHOQM502SIH NS SOA RRSIG DNSKEY NSEC3PARAM
>>> s2uojg57gtbj0m12ecau9csfd38ejndn.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>> EB30Q0MC6UJD3MIGICRL31Q4SNSIT4T7.gl. IN NSEC3 1 1 10 504d114b
>>> EE4KJQ89ME2PR0AOHKV4G9OACUF3367V NS DS RRSIG
>>> EB30Q0MC6UJD3MIGICRL31Q4SNSIT4T7.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN NSEC3 1 1 10 504d114b
>>> 742MB65DHD2D8BG0846S1RKRER2E8CUB NS DS RRSIG
>>> 6LJARAG1OKGTS55S0KMDAS442VDOTMTH.gl. IN RRSIG NSEC3 8 2 3600
>>> 20230705050000 20230618050000 39306 gl. [...]
>>>
>>> All three 2LDs exist, are delegated, have SOA records and child zones.
>>>
>>> --
>>> Viktor.
>>> _______________________________________________
>>> dns-operations mailing list
>>> [email protected]
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> [email protected]
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: [email protected]
>
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
