SixXS::Sunset 2017-06-06

Ticket ID: SIXXS #7590950
Ticket Status: Resolved

PoP: brudi01 - (Uberlandia)

DLV DNSSEC duplicated / wrong delegation
[ar] Carmen Sandiego on Friday, 10 August 2012 20:31:21
Username: FCL5-SIXXS rzone 2.0.1.9.2.1.1.0.0.2.ip6.arpa is published in DLV (this is OK) rzone 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa is published in DLV (this is NOT OK) rzone 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa should be delegated at 2.0.1.9.2.1.1.0.0.2.ip6.arpa, but it isn't, and that causes failure to validate the records. More info according to dnsviz.net: Bogus: - 0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa to 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa:There are no DS RRs for 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa in 0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa, but the NSEC or NSEC3 RRs supplied were insufficient to prove their non-existence. Errors: - 0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa to 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa:The NSEC or NSEC3 RRs are insufficient to prove non-existence of DS RRs for 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa. - RRSIG rm2vhjou5a5f9gjtqv5b3spcr2jv71om.8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa/NSEC3 by 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa/DNSKEY alg 8, key 10611:The signer name field (8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa) does not match the zone name (0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa). - RRSIG rm2vhjou5a5f9gjtqv5b3spcr2jv71om.8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa/NSEC3 by 8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa/DNSKEY alg 8, key 27036:The signer name field (8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa) does not match the zone name (0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa). Ref: http://dnsviz.net/d/0.8.3.8.0.0.2.0.1.9.2.1.1.0.0.2.ip6.arpa/dnssec/
State change: confirmed Locked
[ch] Jeroen Massar SixXS Staff on Friday, 17 August 2012 17:59:42
Message is Locked
The state of this ticket has been changed to confirmed
State change: resolved Locked
[ch] Jeroen Massar SixXS Staff on Tuesday, 21 August 2012 00:20:37
Message is Locked
The state of this ticket has been changed to resolved
DLV DNSSEC duplicated / wrong delegation
[ch] Jeroen Massar SixXS Staff on Tuesday, 21 August 2012 00:24:12
All zones served by ns{123}.sixxs.net are now fully signed, this thus closes the noted problem where the default-subnets where not being signed as they where in the tunnel space. Note that the sixxs.net/org/com zones itself are NOT dnssec-signed, only the ones served by ns{123}.sixxs.net, of which a few are delegated below the sixxs.net zone. One also still needs DLV for the zones verification to actually work. One minor side-effect is that our nsd instances are now using 1G of memory, each...

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker