[dns-operations] Problems with .gov

David Blacka davidb at verisign.com
Mon Jan 31 16:52:16 UTC 2011

On Jan 31, 2011, at 10:13 AM, Creighton, Tom wrote:

> Anyone else having problems?
> http://dnsviz.net/d/noaa.gov/dnssec/
> http://dnsviz.net/d/noaa.gov/dnssec/

I see warnings on dnsviz.net, but I don't see any actual validation problems.  (You can also try the Verisign Labs debugger just to double check: http://dnssec-debugger.verisignlabs.com/noaa.gov)

What you are seeing is the KSK (and ZSK) key roll as part of the .gov transition to Verisign.  The errors shown on dnsviz.net are (I think) caused by a timing effect:  signatures by the older KSK and ZSK are going to expire in less than the TTL values over those RRsets (1 day), hence the warning.  This should cause those RRsets to be cached for less than a day (i.e., not cached beyond the expiration.)

The new KSK, ZSK, and parent DS have all been pre-published, so when RRsets are fetched from the new .gov zone being published momentarily, there should be no validation issues.

David Blacka                          <davidb at verisign.com> 
Principal Engineer    Verisign Platform Product Development

More information about the dns-operations mailing list