On 19-Nov-14 19:03, Graham Clinch wrote: > Hi Casey & List folks, >> My apologies - this was actually a bug in DNSViz. The NSEC3 computation >> was being performed on the wrong name (the wrong origin was being >> applied). It should be fixed now, as shown in: >> >> http://dnsviz.net/d/foo.cnametest.lancs.ac.uk/VGzlkA/dnssec/ >> http://dnsviz.net/d/foo.cnametest.palatine.ac.uk/VGzrqg/dnssec/ > Thanks - that's certainly looking less red. DNSViz is an exceptionally > useful tool! > > The cnametest records were an attempt at simplifying a real issue that's > been reported to us. > > An unsimplified version is cnametest2.lancs.ac.uk (here the RR is > *.cnametest2 CNAME cnametest2, with an A RR for cnametest2), which (now) > passes DNSViz, but not Verisign's DNSSEC debugger > (http://dnssec-debugger.verisignlabs.com/foo.cnametest2.lancs.ac.uk). > > I'm more confident that this is a bug in Verisign's debugger, as the > error is 'No DS records found for cnametest2.lancs.ac.uk in the > cnametest2.lancs.ac zone' (where's the .uk gone, and why the interest in > a DS where there's no zone cut?). Do any Verisign DNSSEC debugger > maintainers lurk on bind-users? (The 'Contact Us' link on the page > looks very corporate and not very useful) Try the dnssec-deployment mailing list. dnssec-deploym...@dnssec-deployment.org
> delv +vtrace continues to report "NSEC3 at super-domain" only for > foo.cnametest2.palatine.ac.uk records, and not for > foo.cnametest2.lancs.ac.uk. Is this a similar > miscalculating-the-owner-name as for DNSViz? I'll try to dig (haha!) > into the delv source tomorrow. Tested with delv 9.10.0 & 9.10.1. > > I think this might be one of those cases where I should have trusted my > gut instinct (to blame the validating resolver), but the more I > investigated the more red and missing lines in output... > > I'm attempting to discover more about the validating resolver, but since > I have no access to it and the reporter is just a user of that resolver, > odds are not stacked in our favour. > >> *snipping the bits where I obviously need to read about >> NSEC3 again* > At the start of the year, I received a piece of wisdom regarding NSEC3 > "It is much harder to understand and debug". At the time I was sure > that I could outsmart it. Maybe not so much now. > > Regards, > > Graham > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users