DNSSEC RRSIG Inconsistency Report : Domain Preferido + ETH

DNSSEC RRSIG Inconsistency Report for preferido.us [Recent DNS Changes Propagated - GoDaddy. KSK2024] Date: June 29, 2025 Prepared by: Abhishek Kumar _____________________________________________________________IIn Reference to :  

DOMAINS: PREFERIDO.US        NUTURE.ETH____________________________________________________________________________Minimal Viable Activity Flow

__________________________________________________________________________________________________________________________

Overview

This report documents a DNSSEC signature inconsistency discovered in the zone preferido.us. The domain is currently DNSSEC-enabled and signed through GoDaddy name servers. However, analysis reveals a mismatch between DNSKEYs published, DS records at the parent (.us) zone, and the actual RRSIGs provided over the DNSKEY RRset. This inconsistency can trigger validation warnings and Extended DNS Errors (EDE 10) on DNSSEC-aware resolvers.

This investigation is part of ongoing DNSSEC and identity verification efforts tied to architectural work under the Credential Vault project. Recent changes propagated from root KSK rollovers (KSK2024) and global DNSSEC observability tools—including discussions around APNIC's DNSSEC validation behavior—provide additional context. It is relevant to note that recent APNIC testbed behavior and its resolver path validation studies suggest that improperly signed or partially signed delegations (such as this one involving preferido.us) may propagate differently across regional resolvers. These variations can impact DNSSEC-aware clients depending on resolver geography and policy.

APNIC’s ongoing research in DNSSEC and routing security, particularly through their measurement platform and DNSSEC-enabled resolver telemetry, has shown how regional and ISP-level DNS resolvers handle trust anchors and delegation inconsistencies. Their recent observability framework—tracking the validation status of TLDs and delegated subzones—aligns with findings here: DS records published without corresponding active RRSIGs can yield silent validation degradation. Upcoming APNIC-led validation surveys are expected to incorporate flagging of edge DNSSEC cases like preferido.us, especially as global readiness for KSK2024 final stage propagation and RFC 5011 rollovers is tested at scale.

These findings, as consolidated this evening, are also considered relevant for broader community dissemination. While the currently observed risk is classified as medium to low, the long-term implications are significant due to the subtle and often misunderstood nature of such DNSSEC inconsistencies. Many systems may operate under the assumption of full trust while harboring hidden resolution weaknesses. The resulting propagation, trust anchor anchoring, and client-side DNSSEC validation behavior can diverge in ways that are hard to detect without intentional observability or regional resolver coverage.

No outages have been observed throughout the investigation period. The domain www.preferido.us has remained online and responsive consistently from June 16 through June 29, 2025, including the connected services hosted in parallel on both GoDaddy and Wix platforms. This availability further supports that while the DNSSEC validation discrepancy introduces a structural inconsistency, it has not yet disrupted domain resolution or user access.

Sharing these insights will help clarify the depth of the issue, encourage proper signing workflows across platforms, and ensure DNSSEC continues to fulfill its role as a foundational security layer in distributed identity, web integrity, and trust validation.

Key Findings

1. Active DS Records in .US Zone:

• DS=2751, algorithm 13 (ECDSAP256SHA256)

• DS=41969, algorithm 13 (ECDSAP256SHA256)

These are confirmed via:

dig +dnssec preferido.us DS

2. DNSKEY RRSet Returned:

kdig +dnssec @1.1.1.1 preferido.us DNSKEY

Returned:

• 4 DNSKEYs total:

  • DNSKEY 41969 (KSK)

  • DNSKEY 2751 (KSK)

  • 2 others (ZSKs)

• RRSIG DNSKEY only signed by key 41969

• No RRSIG covering key 2751

3. RRSIG EDE Warning Triggered:

EDE: 10 (RRSIGs Missing): 'for DNSKEY preferido.us., id = 2751'

Observed from Cloudflare resolver:

kdig +dnssec +tls @1.1.1.1 www.preferido.us

4. Verification from Verisign Labs:

• Confirms DNSKEY 2751 is present

• Confirms only RRSIG=41969 over DNSKEY RRset

• Verifies CNAME and A RRsets signed by DNSKEY=17376 (ZSK)

5. Zone File Confirms DS Publication:

From preferido.us_DNSRecordZoneFile.txt and registrar control panel:

• Both 2751 and 41969 are listed as active DS records

6. Authoritative NS Validation:

Direct queries to:

• ns77.domaincontrol.com → 97.74.108.49

• ns78.domaincontrol.com → 173.201.76.49

Commands run:

kdig +dnssec @97.74.108.49 preferido.us DNSKEY

kdig +dnssec @173.201.76.49 preferido.us DNSKEY

Both return DNSKEY 2751 without RRSIG coverage.

Suspected Cause

The issue likely stems from a partially executed DNSSEC key rollover, possibly initiated in line with the 2024-2026 KSK Root Rollover (KSK2024). The key 2751 was:

• Published in DNSKEY RRset

• DS record pushed to .us zone

• But not yet signed (or activated for signing)

This can result from:

• Incomplete key signing policy updates

• Stale DNSSEC signing automation

• Manual DS push without activating signing logic

Impact and Risk

• Validation still succeeds via DNSKEY 41969 → No outage observed

• However, EDE 10 (RRSIG Missing) shows up in logs and diagnostics

• May reduce trust for DNSSEC-aware validators

• Risk of validation failure increases during future rollovers if not corrected

• Long-term implications are non-trivial if propagated into higher-value or identity-critical applications built on DNSSEC validation layers

Recommended Actions with Recent Propagated DNS Changes using DNSSEC [Preferido.us]

1. If 2751 is to be used:

   • Ensure zone signing configuration includes RRSIGs over DNSKEY 2751

   • Confirm dnssec-signzone or equivalent covers all DNSKEYs

2. If 2751 is obsolete or mistakenly added:

   • Revoke DS record for 2751 from parent .us zone

   • Clean up orphaned DNSKEY from zone

3. Verify all RRSIGs consistently propagate across ns77 and ns78

4. Regener ate or re-publish signed zone if needed

5. Engage in broader community sharing (e.g., APNIC testbed, DNS-OARC, or ICANN resolver ecosystem mailing lists)

Conclusion The DNSSEC configuration for preferido.us is close to full compliance but currently inconsistent due to the missing RRSIG for an active KSK (2751). Immediate consideration in identifying what continues to potentially cause this issue is highly recommended.

This aligns with best practices for secure and validated delegation chains under ongoing KSK rollover periods (e.g., KSK2024). The observation also relates to regional DNSSEC behavior studies, including APNIC's findings on resolver trust validation, reinforcing the importance of fully synchronized and correctly signed key sets across all authoritive servers.