SixXS::Sunset 2017-06-06

DNSSEC setup: "covering NSEC found"
[gb] Shadow Hawkins on Saturday, 16 June 2012 03:06:40
Hello, I have submitted a DS record for my zone 7.a.0.8.0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa. However, dig -x 2a00:14f0:e000:80a7::1, say, with ISC DLV checking enabled in bind gives: dnssec: debug 3: validating @0xb8fb23d8: 0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa NS: covering nsec found: '0.0.e.0.f.4.1.0.0.a.2.ip6.arpa.dlv.isc.org' '0.e.0.f.4.1.0.0.a.2.ip6.arpa.dlv.isc.org' '8.0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa.dlv.isc.org' When this DLV checking is disabled, the resolution proceeds successfully. Should I be entering some record in the DLV myself, or have I likely made some other mistake? Thanks.
DNSSEC setup: "covering NSEC found"
[ch] Jeroen Massar SixXS Staff on Saturday, 16 June 2012 07:36:44
Covering means that those zones already have an nsec pointing to the right place. You might want to use +trace to see the full path etc. And no, you do not have to add a DLV, the DLV is already in place for the covering prefixes.
DNSSEC setup: "covering NSEC found"
[gb] Shadow Hawkins on Saturday, 16 June 2012 12:35:26
Thanks for your advice. The trace avoids 0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa entirely, but bind seems to look at 8.0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa and 0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa when it does a trust check. I am thinking has something to do with: dig 7.a.0.8.0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa. ds @ns1.sixxs.net. reporting ;; ANSWER SECTION: 7.a.0.8.0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa. 604800 IN DS 48018 7 1 D79768EF0FCFC48F17C42879861E2F707F46886D ;; AUTHORITY SECTION: 8.0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa. 604800 IN NS ns1.sixxs.net. But I see now that dig 8.0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa. ns +dnssec and dig 0.0.0.e.0.f.4.1.0.0.a.2.ip6.arpa. ns +dnssec give a positive response with no accompanying RRSIG. Is this correct behaviour? The Verisign DNSSEC debugger at 1.0.8.4.3.0.1.0.a.2.ip6.arpa.dlv.isc.org dlv
[gb] Shadow Hawkins on Sunday, 17 June 2012 20:40:52
I have 2a01:348:165::/48 and have supplied a DS record for it using the SixXS interface. Looking at the trust chain e.g. at http://dnssec-debugger.verisignlabs.com/5.6.1.0.8.4.3.0.1.0.a.2.ip6.arpa I would expect 1.0.8.4.3.0.1.0.a.2.ip6.arpa to have an ISC DLV entry, i.e. for dig 1.0.8.4.3.0.1.0.a.2.ip6.arpa.dlv.isc.org dlv to return a DLV record corresponding to the zone's KSK DNSKEY after being passed through dnssec-dsfromkey. But in fact no such DLV record is present. So I must be misunderstanding something. I am new to DNSSEC. Could someone please tell me where I am going wrong? Thank you.

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker