[dns-operations] DNSSEC validation timeout from Afilias TLD

derek.mcumber derek.mcumber at datamtn.com
Fri May 23 17:26:52 UTC 2014


The issue is was with the KSK key rotation.  Afilias and Verisign have implemented this
process differently.

You can cancel this request.


On 05/23/2014 10:51 AM, derek.mcumber wrote:
> Good Morning:
> I have been struggling with a DNSSEC validation error on 9.7.3 and up.
> I am not sure I have an ISC bug or if we have an MTU mismatch near the perimeter
> of the Afilias TLDs.
> I would like to see if some of the other DNS operators can validate the issue I am
> experiencing or if this is isolated to a few parts of the US.
> I don't know why we wouldn't have caught this earlier.
> GOOD:  This command pulling DNSKEYs from the verisign .gov TLD works just
> about anywhere
>             dig +dnssec +tcp pbgc.gov
> BAD:  This command pulling DNSKEYs from the Afilias TLD fails everywhere
>             dig +dnssec +tcp pbgc.org
> Can anyone confirm this?

Derek McUmber
Data Mountain Solutions
derek.mcumber at datamtn.com

More information about the dns-operations mailing list