[dns-operations] Pending Removal of 3 Negative Trust Anchors @ Comcast

Chris Thompson cet1 at cam.ac.uk
Mon May 21 22:09:37 UTC 2012


On May 21 2012, Livingood, Jason wrote:

[...]
>Upcoming Removal of Three Negative Trust Anchors
>Monday, May 21, 2012
>
>Comcast plans to remove three separate Negative Trust Anchors
[...]
>  *   fbo.gov
>- Negative Trust Anchor added 4/23/12
>- Issue appears due to expired keys in the domain
>- DNSViz report at http://dnsviz.net/d/fbo.gov/T7YMCQ/dnssec/

One of the three authoritative nameservers (ns04.symplicity.com) has
expired signatures (not *keys*, damnit!), the other two are currently
fine, although all three claim the same SOA serial for the zone.

A validating recursive BIND doesn't seem to have any trouble with this.

Some of the DNSSEC checking sites seem not to try all the nameservers,
at least by default.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.



More information about the dns-operations mailing list