Re: Confirm BIND is correctly validating dmdc.osd.mil

2024-08-09 Thread Ondřej Surý
This could be a result of KeyTrap mitigations.The number of DS records is weird, but as long as there’s a valid path from root and no conflicting keytags, this looks fine to me.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated t

Re: Confirm BIND is correctly validating dmdc.osd.mil

2024-08-09 Thread Scott Morizot
Oh, duh. I had a momentary mental lapse, maybe just from looking through all the DS records. No, there's no issue with having a DS record published that points to a valid and visible DNSKEY that doesn't sign the DNSKEY RRSet as long as there's at least one RRSIG from a validated DS/DNSKEY match. I

Re: Confirm BIND is correctly validating dmdc.osd.mil

2024-08-09 Thread Scott Morizot
dmdc.osd.mil is ... a bit of a mess. However, sha-1 DS records remain present and I doubt whatever Akamai's recursive service is doing is choking on those. I note (and confirmed with my own manual queries) that amid all the DS records that don't point to anything, there are two SHA-256 DS records

Confirm BIND is correctly validating dmdc.osd.mil

2024-08-09 Thread John Thurston
Our up-stream resolver (Akamai) is unable to validate scra.dmdc.osd.mil, when my 9.18.28 BIND resolver is able to. I think my BIND server is doing it correctly, and the Akamai resolver is not. The nice dnsviz visualizer https://dnsviz.net/d/scra.dmdc.osd.mil/dnssec/ leads me to suspect that A