[dns-operations] .gov failing dnssec-validation

Michael Sinatra michael at rancid.berkeley.edu
Wed Aug 14 15:58:21 UTC 2013


On 08/14/2013 07:37, staticsafe wrote:
> On Wed, Aug 14, 2013 at 03:31:12PM +0200, Casper Gielen wrote:
>> It appears that .gov is failing dnssec-validation.
>> The have switched over to a new key (id 7698, alg 8) without uploading a
>> new DS to the root.
>> -- 
>> Casper Gielen <cgielen at uvt.nl> | LIS UNIX
>> PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7
>>
>> Universiteit van Tilburg | Postbus 90153, 5000 LE
>> Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
> 
> Seems to have been fixed.

Yes, they seem to have rolled back to the existing algo 7 key.  Based on
Duane's note from the 30th, there was supposed to be some more advanced
notice before the roll actually happened.  I suspect a test version of
the zone got rolled into production by accident.

Some of us are already being asked for "root-cause analysis" from
National Lab CIOs (in my case...I am sure there are many others...). :)

michael





More information about the dns-operations mailing list