Hi, In response to my own message, it looks like there is actually no problem at all. My apologies for the noise.
My mistake was in the fact that the 17.2.in-addr.arpa NSEC record has a ‘next’ field of 71.179.2.in-addr.arpa, which in fact proves the existence of 179.2.in-addr.arpa which in turn blocks the synthesis of *.2.in-addr.arpa. This changes the required proof to denying *.179.2.in-addr.arpa and 210.179.2.in-addr.arpa, both of which are denied by that same 17.2.in-addr.arpa NSEC record. Again, sorry for the noise. -- Brian From: "Brian Somers (brsomers)" <[email protected]> Date: Friday, October 4, 2019 at 3:56 PM To: "[email protected]" <[email protected]> Subject: DNSSEC missing NSEC records Hi, Hopefully this email will reach a human. In summary, I am querying your nameservers with a query who’s response is a negative result. The negative result does not supply correct NSEC proof, so the result is being thrown away. According to your web page at https://afrinic.net/dnssec, you are using standard tools, so perhaps an upgrade is necessary? The details: $ dig +dnssec PTR 55.210.179.2.in-addr.arpa ; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec PTR 55.210.179.2.in-addr.arpa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13221 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 16384 ;; QUESTION SECTION: ;55.210.179.2.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 2.in-addr.arpa. 529 IN SOA pri.authdns.ripe.net. dns.ripe.net. 1570034799 3600 600 864000 3600 2.in-addr.arpa. 529 IN RRSIG SOA 8 3 3600 20191018205054 20191004192054 48919 2.in-addr.arpa. XQQvfbQaC362wJKmA/77JlP4kL3EFsmAs3+ByNfUreFxDYAa/no6PqFO OkyL9n0TYnaxT66vNCktUscMQvO1M5gNJ19tPDlZA+pVN2nzGZZzfUql WJl9EwfyLFkO2ZmwIBBdejgPtUuiS6qdg8r/4oESfEch+YgcNNJrDzTb ts4= 17.2.in-addr.arpa. 529 IN NSEC 71.179.2.in-addr.arpa. NS RRSIG NSEC 17.2.in-addr.arpa. 529 IN RRSIG NSEC 8 4 3600 20191014161051 20190930144051 48919 2.in-addr.arpa. NIK1UeZMTlTYD/TqjYHH73UUiIkwK0i5YqLWjEh+hXLgmpv9nutrXPE2 YHLSSd6Uev7RwXyfIJ7XoTymuKfeOKvUBiMz3mElf0WOoAmWgcYiCn9y AzPOca/0xJ1lV6k7IUsMdaijsOR6/FRh0adVhb4VmtSh7qJfQEM8cXOk EiU= ;; Query time: 71 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Fri Oct 04 22:37:54 UTC 2019 ;; MSG SIZE rcvd: 508 The response correctly denies the existence of 179.2.in-addr.arpa and everything below it, but it does not deny the existence of *.2.in-addr.arpa (the wildcard record) which, if present, would expand to 55.210.179.2.in-addr.arpa. This can be seen also here: https://dnssec-analyzer.verisignlabs.com/55.210.179.2.in-addr.arpa and here: http://dnsviz.net/d/55.210.179.2.in-addr.arpa/dnssec/ Are there any plans to address this issue? Thanks for your time. -- Brian
_______________________________________________ DNSSEC-Ops mailing list [email protected] https://lists.afrinic.net/mailman/listinfo/dnssec-ops
