[dns-operations] Signatures expired in 54.in-addr.arpa

Chris Thompson cet1 at cam.ac.uk
Sat Apr 20 20:07:32 UTC 2013


On Apr 20 2013, I wrote:

>The RRSIG records in 54.in-addr.arpa have expired, at 2013-04-19 00:00:30 UTC.
>
>http://dnssec-debugger.verisignlabs.com/54.in-addr.arpa confirms this.
>
>dns-ops at arin.net (SOA.rname for the zone) cc'd.
>
>This particular zone seems to have a jinx on it - it was the one for
>which the DS and DNSKEY records got out of step in December 2011.

A more detailed inspection suggests that the zone had never been updated
at all since the start of the 10-day validity period of the RRSIGs.

I got a really rapid reply from Pete Toscano at ARIN, and there's now a
new version, generated today, on the ARIN nameservers. Unfortunately, this
one has a mismatch between the DNSKEY records and the DS in the parent
zone - i.e. we are back in the December 2011 scenario.

Jinxed, indeed... :-(

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.



More information about the dns-operations mailing list