Maintained by: NLnet Labs

Unable to resolv 1 domain

W.C.A. Wijngaards
Mon Apr 10 14:59:43 CEST 2017


Hi Ondrej,

The issue is not that DS but the other SHA2 DS that makes all the SHA1
DSes irrelevant.

Also, partial rrsets are something unbound doesn't do, but parent-child
disagreements on the delegation glue are very common.  Extreme leniency
stuff.

Best regards, Wouter

On 10/04/17 14:48, Ondřej Surý wrote:
> Wouter,
> 
> are you sure about the BOGUS status?  I see (stripped down to minimum):
> 
> 1. at the parent:
> 
> $ kdig +multi +dnssec IN NS lkpp.go.id. @b.dns.id.
> 
> KSK 31653
> 
> lkpp.go.id.             43200 IN DS 31653 7 1 (
> 				1DD2E4B3643C20097ECE57ECC1F36B8EFBBE303B
> 				)
> 
> 2. at the child:
> 
> $ kdig +multi +dnssec IN DNSKEY lkpp.go.id. @ns1.lkpp.go.id.
> 
> KSK 31653
> 
> lkpp.go.id.             604800 IN DNSKEY 257 3 7 (
> 				AwEAAc4geZlrl3lZHie+wgyVayHtQ/KX1LSLZ6FsfPUO
> 				lHFsqHFV9osTQ+v9PR++SVPfU8cQZgmWeWsLut7JDqgX
> 				WRSt1833y8Q80HCB67RLRNoyktFkVrhGh2/1qL+bPvJW
> 				RdZjufqmvYMPpLJ+g8U1hx1JdsTOwSmEKuxGPlSJJft2
> 				crQBIN/XRi6MEDE8tGdw3SnwkgocVmTRJteO2V+uLRpK
> 				HN0WJYD7R7CGI0INoWbI2rsAgZr4hvbCQ3J0BToVoWue
> 				2UbPbACaZgmJXx1FPOC4bHKDzLVtLi62k/L1a/AJwp9E
> 				Zo7x5F7yCNQg6XUudxI+Nl7jJ5d12mJnQLsOFqUt48/R
> 				UKV0Fm1hl6lka6DiogwqA+7iTcaGknRoIXXjZ2p/D7vf
> 				i4vQGgmVV42POvrOi7rffhzbQEpiA7Vqx597cP8yCfbL
> 				5cpWFZncxkkLgp92u3D2MWxtdE9aFcuP58xPbnO6mvKq
> 				RrdnXzY4o2XbTtV4WlhJ69VzDoVeMm6p67R4R2cdqDZq
> 				LkdrbLU29nj3fVkrMK+9IswIfVJl/DOEHzCCye8brlce
> 				HF+vqNOb0g6OHj6S86aKtfKgl6DhiBFoaMneNSAFtca4
> 				yVhCMngZOfiWTnxTPqWE0VHu8QrnNL7M2AjZXrZFweLl
> 				AKvoYkUCb7HoOI+FASbZm3+0mkYx
> 				) ; KSK; alg = NSEC3RSASHA1; key id =
> 				31653
> 
> and
> 
> lkpp.go.id.             604800 IN RRSIG  DNSKEY 7 3 604800 (
> 				20170428022332 20170329022332 31653
> 				lkpp.go.id.
> 				iAMSKEUwNHmjqCRBygXeqvK2+kYAOGhHd1ZdTFkZeQDv
> 				D5/AmgfVASEpeso9kQ3Y/YRC8NBQ5JDFT/B3DFB26y9y
> 				FKBgLLsIrOjLNw7286FikQGtp4ZIGJmxgSbClaZsMnBA
> 				YS0vMu4uY42pOQ8C4gDMav94g1au+CU9w4QpBKDS8xtb
> 				6f+1B+yc3eodXdzS/iyKJYrpqPVRlOnAFGlJuxLXQxNJ
> 				GgC2ZvxmITARjfwDPROvo9zx9BoSKKnN1EV+sFqY0/xY
> 				j9OO8Q2CcQFRRuwHO4UO4or2aa1xn8lle7yhQAG46pbB
> 				74rFHU7Tyd5tfLNs0wD+gLTC27xw2kXRIJixgLM3bHOr
> 				nREuAjeokP0KulNe/TvfTiUVD+jcdDRsdTcBOZRyDOQy
> 				4Ke6pFp0jgQXXcwdRYnq39G6z+hdWuAmdN9ejnSg2R5N
> 				o7CF/Kh+uL5E+tlkEZAdW5i94FDSxrmlnbqLNwD+Bc4Z
> 				kwR8Rq7d4x2o1p5SjS8/v+vvsOUOVWN99Lnk9w7NwLfc
> 				pwn83kN5a91jkcu1lcgR+Dr+l2WVUlqWSgTIwfIKQ8A5
> 				y2PzaQCXZ1nCK5iexoYOl1zIgps4pM0WenAviFjHWgAE
> 				med75qM7rwLZqqZpRBBOB3VaaHqYFQohm8f3sVLN1n+O
> 				T6kkCOkeGsO+Saaht2SHHoU= )
> 
> ZSK 15284
> 
> lkpp.go.id.             604800 IN DNSKEY 256 3 7 (
> 				AwEAAdX16LDm+07IAtsXv+bf2HHO5S+jngvxcpay
> 				9awjHYtoy2tAPrjWWabRm8ymSO3wStqH6YY9xNiJ
> 				sKF8t+BXBenV4TQgbFO/FuioTZwTex4t3dJf01Ss
> 				auhidhoVVrPzkAOHOstHCjuIIxwH8DaGMncn7tx/
> 				lF4+S3Joi8CwceBWrwbdA0IWq7e7WG5Z/w4pK96E
> 				y4bpFDeY737EkBhPGiI5KAW5mD9eMkz7PZPss3vy
> 				5oC863I+XcD1RyaCv+Yljq1ZLLvgfpN8fCkokAYM
> 				QXxBK0PW0M4UPUTRbLatCHfxRawXpkg+bE/06bm/
> 				QrgbwYoDCiOjvkasZUJ/Vdavr4M=
> 				) ; ZSK, RSASHA1_NSEC3_SHA1 (2048b), id
> 				= 15284
> 
> 
> $ kdig +multi +dnssec IN A lkpp.go.id. @ns1.lkpp.go.id.
> 
> 
> lkpp.go.id.             604800 IN A 103.206.244.234
> lkpp.go.id.             604800 IN RRSIG A 7 3 604800 20170428022332 (
> 				20170329022332 15284 lkpp.go.id.
> 				FfCuaRXD14lOhnTQgL1g3DjUXo/OFLrhn9Y1x+9Q
> 				NWXniZgdiKhubf53ZxV8+xVYiBWvGGq0imcFoyzt
> 				98Uv8DrT9iHP4a6aZgE45Z1DXX6UE7u4x0CYeZd7
> 				g9JeV2s4jNWR1rYyln+DsbTBY5qLWNStaA71gvsn
> 				w29Pk34ssV6AP38i9OHD7bk39CY6ClOlvVtd+8Uh
> 				cZXAeWOr4BI+aCuJw5EYBte9GrlbBVD4z20Aw4/1
> 				KBK9jitG0Ty5SJz/1gJPDwAzIN6SLMNLzGNEjGz9
> 				cRsaPmlLBIOXwVC9MlTdR0GeYDTLzOZRRSviv/2u
> 				Dglyc3eRIjofg/O8A6yzkQ==
> 				)
> 
> And Verisign's DNSSEC Debugger also seems to disagree with DNSViz:
> 
> http://dnssec-debugger.verisignlabs.com/lkpp.go.id
> 
> O.
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170410/80ee4600/attachment-0001.sig>