[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon May 4 20:01:40 UTC 2020
On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote:
> I noticed, that the DNSSEC signed Domains under top-Level Domain fr.
> failed since about 4 hours.
Indeed, there does seem to be a problem with expired DS RR signatures.
A random sample of 1000 .fr child domains (out of 398,564 total known
to me signed .fr domains) returns DS lookup ServFail for 205 of them.
The associated RRSIG expiration times are:
204 20200504145605
1 20200504174835
We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so
the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are
now expired, affecting ~80k signed domains.
> Could anybody please fix this?
I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC
folks are on this list.
> Does anybody else also noticed this?
Yes. See above.
--
Viktor.
More information about the dns-operations
mailing list