[DNSSEC-Ops] DNSSEC missing NSEC records

Brian Somers (brsomers) brsomers at cisco.com
Fri Oct 4 22:56:49 UTC 2019


Hi,

Hopefully this email will reach a human. In summary, I am querying your nameservers with a query who’s response is a negative result. The negative result does not supply correct NSEC proof, so the result is being thrown away. According to your web page at https://afrinic.net/dnssec, you are using standard tools, so perhaps an upgrade is necessary?

The details:


$ dig +dnssec PTR 55.210.179.2.in-addr.arpa



; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec PTR 55.210.179.2.in-addr.arpa

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13221

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 16384

;; QUESTION SECTION:

;55.210.179.2.in-addr.arpa. IN PTR



;; AUTHORITY SECTION:

2.in-addr.arpa. 529 IN SOA pri.authdns.ripe.net. dns.ripe.net. 1570034799 3600 600 864000 3600

2.in-addr.arpa. 529 IN RRSIG SOA 8 3 3600 20191018205054 20191004192054 48919 2.in-addr.arpa. XQQvfbQaC362wJKmA/77JlP4kL3EFsmAs3+ByNfUreFxDYAa/no6PqFO OkyL9n0TYnaxT66vNCktUscMQvO1M5gNJ19tPDlZA+pVN2nzGZZzfUql WJl9EwfyLFkO2ZmwIBBdejgPtUuiS6qdg8r/4oESfEch+YgcNNJrDzTb ts4=

17.2.in-addr.arpa. 529 IN NSEC 71.179.2.in-addr.arpa. NS RRSIG NSEC

17.2.in-addr.arpa. 529 IN RRSIG NSEC 8 4 3600 20191014161051 20190930144051 48919 2.in-addr.arpa. NIK1UeZMTlTYD/TqjYHH73UUiIkwK0i5YqLWjEh+hXLgmpv9nutrXPE2 YHLSSd6Uev7RwXyfIJ7XoTymuKfeOKvUBiMz3mElf0WOoAmWgcYiCn9y AzPOca/0xJ1lV6k7IUsMdaijsOR6/FRh0adVhb4VmtSh7qJfQEM8cXOk EiU=



;; Query time: 71 msec

;; SERVER: 208.67.222.222#53(208.67.222.222)

;; WHEN: Fri Oct 04 22:37:54 UTC 2019

;; MSG SIZE rcvd: 508

The response correctly denies the existence of 179.2.in-addr.arpa and everything below it, but it does not deny the existence of *.2.in-addr.arpa (the wildcard record) which, if present, would expand to 55.210.179.2.in-addr.arpa.

This can be seen also here: https://dnssec-analyzer.verisignlabs.com/55.210.179.2.in-addr.arpa
and here: http://dnsviz.net/d/55.210.179.2.in-addr.arpa/dnssec/

Are there any plans to address this issue? Thanks for your time.

--
Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dnssec-ops/attachments/20191004/c13e6802/attachment-0001.html>


More information about the DNSSEC-Ops mailing list