This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Bad secure delegation of ris.ripe.net
- Next message (by thread): [dns-wg] Bad secure delegation of ris.ripe.net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Thu Dec 13 09:52:30 CET 2007
Hello DISI The zone ris.ripe.net is bogus. It appears that the DS RR doesn't match the KSK DNSKEY RR. ripe.net is fine (with the newest trust anchors). According to drill: : gall at hadron[gall]; cat /tmp/ripe.key ripe.net. IN DNSKEY 257 3 5 AwEAAZ+vLzvkn0wkjcSmpoZRIOU0Suaw1EegrH9T0vwGOG9EbdgBYs6p 1lyjy2aHfZ4EnhVVVsElpSMBFzKItwzJeR9jxZC23dHw57saKC6enu7K K0m3fUQagzHqcu5RKn/T+0w1Q51UTdsLiBfCpqzQ10+T1oRxCXYWOyIi jApUQCFvybf1U6S/7lOLagzzoSU6lzxcUivWxLEM0SbzYIoV1OWXIjnj X/7/ChvZPqr01iY9th4nXlK52Da0mPaPbunLF353s4LQ6CsmcFG3zCfg 6iYRugF/NE1uMbdpzsff7nV1/K4PdSJjLt/AKsofQbbca8zH6YEolTcA T8o18/H13jE= : gall at hadron[gall]; drill -S -k /tmp/ripe.key ripe.net. soa | tail -5 DNSSEC Trust tree: ripe.net. (SOA) |---ripe.net. (DNSKEY keytag: 62805) |---ripe.net. (DNSKEY keytag: 21238) ;; Chase successful : gall at hadron[gall]; drill -S -k /tmp/ripe.key ris.ripe.net. soa | tail -5 ris.ripe.net. (SOA) |---ris.ripe.net. (DNSKEY keytag: 51156) |---ris.ripe.net. (DNSKEY keytag: 21022) No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. The keytag of the DS record is 56179 : gall at hadron[unbound]; dig ris.ripe.net. ds +short 56179 5 1 B8F1169306DA0679416580D5AC3F43572B3318B6 -- Alex
- Next message (by thread): [dns-wg] Bad secure delegation of ris.ripe.net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]