[dns-operations] Validation problems for nal.usda.gov
Casey Deccio
casey at deccio.net
Fri Nov 16 04:15:30 UTC 2012
On Thu, Nov 15, 2012 at 6:12 PM, Mark Andrews <marka at isc.org> wrote:
>
> In message <50A53AD6.70403 at ack.berkeley.edu>, Rune Stromsness writes:
> >
> > We've been seeing DNSSEC validation problems (using the ISC DLV trust
> > anchor) for nal.usda.gov for about 3 weeks now. We've been unable to
> > get in touch with anyone at the NAL who knows anything about DNSSEC, and
> > we're not happy about turning off use of the DLV for our campus. Our
> > customers are getting more unhappy with their inability to use the
> > nal.usda.gov resources from campus, however.
> >
> > Does anyone know of a USDA or .gov contact who knows what DNSSEC is who
> > might be able to help get the NAL to fix or mitigate their issues?
> >
> >
> > Rune
> > --=20
> > Rune Stromsness
> > Network Operations & Services
> > Telecommunications
> > University of California, Berkeley
> > runes at berkeley.edu
>
> They have a large DNSKEY RRset (;; MSG SIZE rcvd: 2731) so you may
> be seeing issues with fragmentation. The DLV records match the
> DNSKEY records.
>
>
For nearly two weeks they were operating with expired RRSIGs, but
apparently they fixed that as of at least 7 hours ago:
http://dnsviz.net/d/nal.usda.gov/UKT0sg/dnssec/
http://dnsviz.net/d/nal.usda.gov/UKVeIg/dnssec/
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121115/cc29d4b3/attachment.html>
More information about the dns-operations
mailing list