[dns-operations] Pending Removal of 3 Negative Trust Anchors @ Comcast

Casey Deccio casey at deccio.net
Tue May 22 05:01:13 UTC 2012


On Mon, May 21, 2012 at 3:09 PM, Chris Thompson <cet1 at cam.ac.uk> wrote:

> On May 21 2012, Livingood, Jason wrote:
>
> - Negative Trust Anchor added 4/23/12
>> - Issue appears due to expired keys in the domain
>> - DNSViz report at http://dnsviz.net/d/fbo.gov/**T7YMCQ/dnssec/<http://dnsviz.net/d/fbo.gov/T7YMCQ/dnssec/>
>>
>
> One of the three authoritative nameservers (ns04.symplicity.com) has
> expired signatures (not *keys*, damnit!), the other two are currently
> fine, although all three claim the same SOA serial for the zone.
>
> [...]
>
> Some of the DNSSEC checking sites seem not to try all the nameservers,
> at least by default.
>
>
Incidentally, I've (somewhat) recently made available on DNSViz a breakdown
of RRsets within all the responses received for queries during an analysis,
so it's easier to see which RRsets and RRSIGs (or lack thereof!) are
returned with each response.  It's still very much a work-in-progress, but
hopefully it's helpful.

http://dnsviz.net/d/fbo.gov/T7YMCQ/responses/

Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120521/0c3ac09e/attachment.html>


More information about the dns-operations mailing list