SixXS::Sunset 2017-06-06

Ticket ID: SIXXS #1087176
Ticket Status: User

PoP: (not applicable)

Incorrectly signed reverse lookup zones
[at] Shadow Hawkins on Saturday, 16 May 2009 00:55:42
Reverse DNS lookups for my tunnel endpoints in 2001:6f8:900::/52 fail on DNSSEC-enabled resolvers (SERVFAIL). My resolvers running BIND 9.5.1-P1 (including the latest NSEC3 patch necessary for resolving .gov) create the following log entries: no valid RRSIG resolving '0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/DS/IN': 193.109.122.62#53 no valid RRSIG resolving '0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/DS/IN': 213.197.29.32#53 no valid RRSIG resolving '0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/DS/IN': 193.1.31.74#53 no valid RRSIG resolving '0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/DS/IN': 2001:7b8:3:1e:290:27ff:fe0c:5c5e#53 no valid RRSIG resolving '0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/DS/IN': 2001:838:1:1:210:dcff:fe20:7c7c#53 no valid RRSIG resolving '0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/DS/IN': 2001:770:18:8::4#53 My DLV trust anchor is dlv.isc.org.
Incorrectly signed reverse lookup zones
[ch] Jeroen Massar SixXS Staff on Monday, 18 May 2009 01:21:58
2001:6f8:900::/52
SixXS only gives out prefixes per /64 and /48. A /52 is thus for sure wrong. You mention "my tunnel endpoints", but as you have three tunnels, which ones?
no valid RRSIG resolving '0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/DS/IN': 193.109.122.62#53
Of course there is no RRSIG for that nibble boundary.
My DLV trust anchor is dlv.isc.org.
Which is also used for all our zones, and which has a "check" robot which indicates no problems.
Incorrectly signed reverse lookup zones
[at] Shadow Hawkins on Monday, 18 May 2009 02:41:41
2001:6f8:900::/52
SixXS only gives out prefixes per /64 and /48. A /52 is thus for sure wrong.
By writing "/52" I merely wanted to indicate that my tunnel endpoint IP addresses are indeed of the form "2001:6f8:900:0xyz::2" as suggested in the error messages.
You mention "my tunnel endpoints", but as you have three tunnels, which ones?
I was testing the static tunnels, 2001:6f8:900:ae4::2 and 2001:6f8:900:c08::2. Unfortunately, I missed a part of the error messages, I also get no valid DS resolving '2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.e.a.0.0.0.9.0.8.f.6.0.1.0.0.2.ip6.arpa/PTR/IN': 2001:770:18:8::4#53 probably as a consequence of the previous error messages. My BIND DNSSEC configuration is what is suggested by the ISC website and I'm using Debian lenny's bind9 package. My experience with DNSSEC is very limited, so right now I'm not able to investigate the problem any further; all I have is two recursors with the aforementioned setup that show this behavior.
State change: user Locked
[ch] Jeroen Massar SixXS Staff on Monday, 18 May 2009 01:22:10
Message is Locked
The state of this ticket has been changed to user

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker