About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[dns-wg] Bad secure delegation of ris.ripe.net

  • To: disi@localhost, noc@localhost
  • From: Alexander Gall gall@localhost
  • Date: Thu, 13 Dec 2007 09:52:30 +0100
Hello DISI

The zone ris.ripe.net is bogus.  It appears that the DS RR doesn't
match the KSK DNSKEY RR.  ripe.net is fine (with the newest trust
anchors).  According to drill:

: gall@localhost[gall]; cat /tmp/ripe.key 
ripe.net.               IN      DNSKEY  257 3 5 AwEAAZ+vLzvkn0wkjcSmpoZRIOU0Suaw1EegrH9T0vwGOG9EbdgBYs6p 1lyjy2aHfZ4EnhVVVsElpSMBFzKItwzJeR9jxZC23dHw57saKC6enu7K K0m3fUQagzHqcu5RKn/T+0w1Q51UTdsLiBfCpqzQ10+T1oRxCXYWOyIi jApUQCFvybf1U6S/7lOLagzzoSU6lzxcUivWxLEM0SbzYIoV1OWXIjnj X/7/ChvZPqr01iY9th4nXlK52Da0mPaPbunLF353s4LQ6CsmcFG3zCfg 6iYRugF/NE1uMbdpzsff7nV1/K4PdSJjLt/AKsofQbbca8zH6YEolTcA T8o18/H13jE=

: gall@localhost[gall]; drill -S -k /tmp/ripe.key ripe.net. soa | tail -5
DNSSEC Trust tree:
ripe.net. (SOA)
|---ripe.net. (DNSKEY keytag: 62805)
    |---ripe.net. (DNSKEY keytag: 21238)
;; Chase successful

: gall@localhost[gall]; drill -S -k /tmp/ripe.key ris.ripe.net. soa | tail -5
ris.ripe.net. (SOA)
|---ris.ripe.net. (DNSKEY keytag: 51156)
    |---ris.ripe.net. (DNSKEY keytag: 21022)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.

The keytag of the DS record is 56179

: gall@localhost[unbound]; dig ris.ripe.net. ds +short
56179 5 1 B8F1169306DA0679416580D5AC3F43572B3318B6

-- 
Alex
Post To The List:

Replies

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community