[dns-operations] Pending Removal of 3 Negative Trust Anchors @ Comcast

Chris Thompson cet1 at cam.ac.uk
Mon May 21 22:09:37 UTC 2012

On May 21 2012, Livingood, Jason wrote:

>Upcoming Removal of Three Negative Trust Anchors
>Monday, May 21, 2012
>Comcast plans to remove three separate Negative Trust Anchors
>  *   fbo.gov
>- Negative Trust Anchor added 4/23/12
>- Issue appears due to expired keys in the domain
>- DNSViz report at http://dnsviz.net/d/fbo.gov/T7YMCQ/dnssec/

One of the three authoritative nameservers (ns04.symplicity.com) has
expired signatures (not *keys*, damnit!), the other two are currently
fine, although all three claim the same SOA serial for the zone.

A validating recursive BIND doesn't seem to have any trouble with this.

Some of the DNSSEC checking sites seem not to try all the nameservers,
at least by default.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list