There is nothing to worry about here. There is an insecure delegation at webex.com (no DS RRset). Named does bottom up validation (follows the RRSIG signer names) then does to down to prove insecure if that fails. The messages are logged during the first stage.
On 9 May 2023, at 23:33, Reuben Farrelly via NANOG <nanog@nanog.org> wrote:
Does anyone know of a contact of someone (presumably at Webex/Cisco) who can take a look at the DNS for webex.com?
It has been for some time now, logging a lot of DNSSEC warnings on my resolver:
dnssec: validating external-media75.public.wnrtm-a-2.prod.infra.webex.com/NSEC: no valid signature found: 1 Time(s) dnssec: validating external-media75.public.wsinm-a-3.prod.infra.webex.com/NSEC: no valid signature found: 1 Time(s) dnssec: validating external-media78.public.wbomm-a-2.prod.infra.webex.com/NSEC: no valid signature found: 1 Time(s) dnssec: validating external-media8.public.wnrtm-a-2.prod.infra.webex.com/NSEC: no valid signature found: 1 Time(s)
(and a whole lot more hostnames in the same domain). Some basic DNSSec analysis indicates something in the middle of the trust chain is broken:
https://dnssec-analyzer.verisignlabs.com/external-media26.public.wjfkm-a-3.p...
It looks to me like the subdomains have DS records but the other parts of the subdomain don't and I guess there's no point in having DS records on host records, if the parent domain doesn't have them too.
I wouldn't bother if it was one or two entries, but it looks like the whole domain is affected and this probably is a fairly widely utilised domain.
Thanks, Reuben
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org