[dns-operations] What's wrong with my domain?
Mohamed Lrhazi
ml623 at georgetown.edu
Wed Jul 2 11:21:06 UTC 2014
Fantastic! thanks a lot guys. I had forgotten that I did setup dnssec on
this zone a while back.
Thanks,
Mohamed.
On Wed, Jul 2, 2014 at 7:15 AM, Jim Reid <jim at rfc1035.com> wrote:
> On 2 Jul 2014, at 11:29, Mohamed Lrhazi <ml623 at georgetown.edu> wrote:
>
> > I am sure I messed up something, but cant figure out what! Some DNS
> > servers, notably Google's, return SERVFAIL, since a couple of days now.
>
> DNSSEC for gu.edu appears to be broken. google's 8.8.8.8 service does
> DNSSEC validation. SERVFAILs get returned when validation fails. FWIW my
> name servers also do DNSSEC validation and they get SERVFAILs for your
> domain too.
>
> It looks to me like someone/something rolled gu.edu's KSK and forgot to
> get the parent delegation updated. .edu has one DS record for gu.edu
> which is for a key with fingerprint 3078. None of the DNSKEYs in gu.edu
> have that footprint. This makes it impossible to validate any signed data
> under gu.edu:
>
> % drill -TD gu.edu ns
> ...
> [T] gu.edu. 86400 IN DS 3078 7 1 b4c9fb14d6519c3ece5cc43e80c463d5847d73ed
> ;; Domain: gu.edu.
> ;; Signature ok but no chain to a trusted key or ds record
> [S] gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 35043 (ksk), size = 2048b}
> gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 39339 (ksk), size = 2048b}
> gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 25247 (zsk), size = 2048b}
> gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 38702 (zsk), size = 2048b}
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140702/bcedb203/attachment.html>
More information about the dns-operations
mailing list