[gnome.org #14466] DNSSEC for *.bugzilla-attachments.gnome.org is wonky

["Mantas Mikulėnas via RT" <dnsmaster gnome org>]

You are reading this message because you are a watcher of the DNS queue at GNOME.org Request Tracker.

Mon Aug 18 19:29:05 2014: Request 14466 was acted upon.
Transaction: Ticket created by grawity gmail com
       Queue: DNS
     Subject: DNSSEC for *.bugzilla-attachments.gnome.org is wonky
       Owner: Nobody
  Requestors: grawity gmail com
      Status: new
 Ticket <URL: https://rt.gnome.org/Ticket/Display.html?id=14466 >

--- Original message follows: --------------------------------------------------------------
Some tools (but not all) seem to be having problems resolving
<foo>.bugzilla-attachments.gnome.org. For example, the VeriSign
debugger [1] says:

> RRSIG=40692 and DNSKEY=40692 does not verify the A RRset (RSA Verification failed)

Meanwhile, DNSViz [2] shows 'A' records as secure/existent *and*
secure/nonexistent at the same time, while 'AAAA' records show up as
both secure/existent and bogus/nonexistent (if you enable additional
options [3]).

> NSEC RRs proving non-existence of bug734290.bugzilla-attachments.gnome.org/AAAA:
> The NSEC RR(s) are insufficient to prove non-existence of bug734290.bugzilla-attachments.gnome.org/AAAA.

Unbound says "Validate: message contains bad rrsets", meanwhile,
`drill -S` and `drill -TD` validate everything just fine.
Interestingly, Unbound lets it through if I turn off forwarding and
make it recurse itself. I think I've had this problem before. But that
doesn't explain why DNSViz and VeriSign show failures...

[1]: http://dnssec-debugger.verisignlabs.com/bug734290.bugzilla-attachments.gnome.org
[2]: http://dnsviz.net/d/bug734290.bugzilla-attachments.gnome.org/dnssec/
[3]: 
http://dnsviz.net/d/bug734290.bugzilla-attachments.gnome.org/dnssec/?rr=all&a=all&ds=all&doe=on&red=on&ta=.&ta=dlv.isc.org.&tk=

-- 
Mantas Mikulėnas <grawity gmail com>