This could be a result of KeyTrap mitigations.The number of DS records is weird, but as long as there’s a valid path from root and no conflicting keytags, this looks fine to me.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated t
Oh, duh. I had a momentary mental lapse, maybe just from looking through
all the DS records. No, there's no issue with having a DS record published
that points to a valid and visible DNSKEY that doesn't sign the DNSKEY
RRSet as long as there's at least one RRSIG from a validated DS/DNSKEY
match. I
dmdc.osd.mil is ... a bit of a mess. However, sha-1 DS records remain
present and I doubt whatever Akamai's recursive service is doing is choking
on those.
I note (and confirmed with my own manual queries) that amid all the DS
records that don't point to anything, there are two SHA-256 DS records
Our up-stream resolver (Akamai) is unable to validate scra.dmdc.osd.mil,
when my 9.18.28 BIND resolver is able to. I think my BIND server is
doing it correctly, and the Akamai resolver is not.
The nice dnsviz visualizer
https://dnsviz.net/d/scra.dmdc.osd.mil/dnssec/ leads me to suspect that
A
4 matches
Mail list logo