[Dnssec-deployment] Fun and sun with DNSSEC in Honduras

Matthew Pounsett mpounsett at afilias.info
Wed Jun 22 19:44:23 EDT 2011

On Wed, Jun 22, 2011 at 6:17 PM, Bill Owens <owens at nysernet.org> wrote:

> I would be very happy to point this out to the fine folks at Afilias, but
> before I want to make sure that this is really a problem, and that I'm
> pointing to the right things. Hence, some questions for the gurus here
> assembled ;)
Hi Bill.  Folk (fine or otherwise) from Afilias here.

Your analysis is accurate.  The root cause of the problem here is that there
is no delegation from hn., which is signed, to org.hn., which is not.  This
was fine for a long time as both zones are served out of the same processes
(in most cases).  However, once hn. was signed authenticated denial of
existence for org.hn appeared, rendering tld[12].rds.org.hn non-entities.

The reason you're occasionally getting different answers from [abcd]
0.cctld.afilias-nst.info is that there are a variety of DNS implementations
behind those service addresses, and they deal with specific cases in
slightly different ways.  One implementation does seem to be answering out
of org.hn. when it can't find a DS record in hn..  This seems like odd
behaviour to me, but perhaps someone else can explain why it's an okay thing
to do with DO is set and no delegation exists in the parent.

There has been a change request in the pipe since hn. was signed to deal
with fixing the delegation, but this is currently held up.. something to do
with required approvals between us and the registry operator for making
changes to the zone (which, technically, is theirs, not ours).  I don't have
the details to be any more specific than that, but we're working on getting
things moving along.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20110622/672add82/attachment.html 

More information about the Dnssec-deployment mailing list