[dns-operations] DNSSEC problem at one.com

Patrik Wallström pawal at blipp.com
Mon Apr 29 13:31:18 UTC 2013

On Apr 29, 2013, at 3:16 PM, WBrown at e1b.org wrote:

>> From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
>> Anyone has more technical and factual information about this problem?
>> Error in .SE, in one.com or in Telia?
>> http://www.one.com/en/info/profile
> [snip]
> Does anyone know what they mean by this sentence in their update posted 
> April 29, 2013 1:36 PM CET 
> "However, we have become aware of an error in a particular version of the 
> DNS-software BIND, which we know are being used by several ISP's in Sweden 
> like TeliaSonera, Telenor, Tele2, Bredbandsbolaget and Bredband2. "

Short update from .se,

One.com has begun to sign all of their .se domains. However, they discovered that some resolver operators in Sweden (most of them do DNSSEC validation) had problems with some of their customer domains. Since then, they have asked some of them to flush their caches, and in the meantime they have also halted their signing process for a while, keeping the already signed domains for the time being.

Most problems still comes from PowerDNS. They do PowerDNS with signing on all of their name servers. We have previously seen problems with PowerDNS in combination with BIND resolvers, since PowerDNS with DNSSEC sometimes takes a long time to answer due to signing. This causes EDNS0 blacklisting in BIND. I am not sure that this is the issue this time. One.com are still investigating the issue, and are also applying the latest patches for the software.

More information about the dns-operations mailing list