[dns-operations] DNSSEC validation timeout from Afilias TLD

derek.mcumber derek.mcumber at datamtn.com
Fri May 23 17:26:52 UTC 2014


UPDATE:

The issue is was with the KSK key rotation.  Afilias and Verisign have implemented this
process differently.

You can cancel this request.

derek

On 05/23/2014 10:51 AM, derek.mcumber wrote:
> Good Morning:
>
> I have been struggling with a DNSSEC validation error on 9.7.3 and up.
> I am not sure I have an ISC bug or if we have an MTU mismatch near the perimeter
> of the Afilias TLDs.
>
> I would like to see if some of the other DNS operators can validate the issue I am
> experiencing or if this is isolated to a few parts of the US.
>
> I don't know why we wouldn't have caught this earlier.
>
> GOOD:  This command pulling DNSKEYs from the verisign .gov TLD works just
> about anywhere
>
>             dig +dnssec +tcp pbgc.gov
>
>
> BAD:  This command pulling DNSKEYs from the Afilias TLD fails everywhere
>
>             dig +dnssec +tcp pbgc.org
>
>
> Can anyone confirm this?
>

-- 
Derek McUmber
Data Mountain Solutions
derek.mcumber at datamtn.com
703-863-5004




More information about the dns-operations mailing list