www.ncbi.nlm.nih.gov / pubmed
Hauke Lampe
lampe at hauke-lampe.de
Wed Aug 18 12:40:16 UTC 2010
On 18.08.2010 14:31, Phil Mayers wrote:
> After a bit of investigation, it seems that the problem is a missing
> NSEC/NSEC3 record in the empty reply for:
>
> $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds
>
> ...since the "ncbi" zone is an unsigned child zone, there needs to be an
> NSEC/NSEC3 record to prove the absence of the DS record, and have a
> secure delegation to an unsigned child zone.
I think the problem is already in the nlm.nih.gov zone. nih.gov contains
DS records for nlm.nih.gov, but the zone itself is not signed.
dig +dnssec nlm.nih.gov ds @ns.nih.gov. -> signed DS records
dig +dnssec nlm.nih.gov soa @ns.nih.gov. -> unsigned response
Validating resolvers thus reject the unsigned answer:
"nlm.nih.gov SOA: got insecure response; parent indicates it should be
secure"
According to the SOA, nlmdnshostmaster at mail.nih.gov is the appropriate
contact address. I'll put them in Cc.
Hauke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100818/99beb5ad/attachment-0001.bin>
More information about the bind-users
mailing list