[dns-operations] Pending Removal of 3 Negative Trust Anchors @ Comcast
Chris Thompson
cet1 at cam.ac.uk
Mon May 21 22:09:37 UTC 2012
On May 21 2012, Livingood, Jason wrote:
[...]
>Upcoming Removal of Three Negative Trust Anchors
>Monday, May 21, 2012
>
>Comcast plans to remove three separate Negative Trust Anchors
[...]
> * fbo.gov
>- Negative Trust Anchor added 4/23/12
>- Issue appears due to expired keys in the domain
>- DNSViz report at http://dnsviz.net/d/fbo.gov/T7YMCQ/dnssec/
One of the three authoritative nameservers (ns04.symplicity.com) has
expired signatures (not *keys*, damnit!), the other two are currently
fine, although all three claim the same SOA serial for the zone.
A validating recursive BIND doesn't seem to have any trouble with this.
Some of the DNSSEC checking sites seem not to try all the nameservers,
at least by default.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list