[dns-operations] Missing DS change within a rollover on a few .GOV domains?
Mauricio Vergara Ereche
mave at cero32.cl
Fri Sep 25 23:07:17 UTC 2015
Hi there!
It seems like some .gov domains have done a key rollover on these auth
servers:
authns1.centurylink.net.
authns2.centurylink.net.
tpsns11.terrenap.net.
tpsns12.terrenap.net.
But they didn't change DS records before on the parent zone!
There are at least 2 domains out there (state.gov as well as usembassy.gov)
that have different DS records on the parent which doesn't match with the
DNSKEYs
...and those TTLs on the zones itself are not helping very much :-(
$ dig DS usembassy.gov +cd +short @a.gov-servers.net.
9084 7 1 2130D69182CF4766C79FCD965F663B675355F0E2
$ dig +noall DNSKEY usembassy.gov @authns2.centurylink.net +dnssec +multi
+ans
usembassy.gov. 15768000 IN DNSKEY 256 3 7 (
AwEAAdBoq6TedHYapEIAlQgURXDox9WezJgEPlY3kq30
5xtdg0UpleJ3BAIxZ8xmuzvkqSocc5/GrI4C+f/juG7j
0A/VrqceY1hq63F0miMwaaPYtqRsaTBTb14NiAMrfpzm
U2CCW3YrmO7vqNnFSmYBqzVqgUfG4orMiayhtc4nh765
) ; ZSK; alg = NSEC3RSASHA1; key id = 62912
usembassy.gov. 15768000 IN DNSKEY 257 3 7 (
AwEAAaTvsQHAkU/vQMCCABy0J20+0W25S8TulOymDOC5
g68CwdGrFC06eC6D5v2O/sQrfGslwo9qxzKwWkNJIj2t
ph4qK1C/tg6xw+bhglxJsHH9KO7dM2Bt8r7YuYihdsDR
sjKzarse/In/tMnfKuj7lXVaKcV+aI//JNDd1UQB4hX9
Ug67Z28YUEwikNMcla4DCljJuZO/F2XQOrJ98ALGp4dw
xrkjcGcqjHs3POzK+j/amqlOTfNqA6TYPoYaThKqS+Qu
2C8vTMXn9lt6OVHUk4wtlsoItHf6f3DF+J2LZQPVOxza
G3Reo2OeT/ZQ4dXDI8AqTHFMbSeHQ3srtEdATZ8=
) ; KSK; alg = NSEC3RSASHA1; key id = 48291
usembassy.gov. 15768000 IN RRSIG DNSKEY 7 2 15768000 (
20160924193926 20150925183927 48291 usembassy.gov.
Iok8jSTvTnmvCpwufHtgS4UDO6p6iUz+IDY3JyjFQ/D/
HsbIz0TI6bSB+9bNPu8cvzsYgzVgeqAUgZSDoTK2B9/7
xFXusIf6x1t7nHMhvbwNf6PxS0EJy3Shec61SmrJwinA
yPkItqgyoEbqyKEgBanN0/XdMsSXzMCcB+A7bUl9T/XW
WKF/GIGm6LgkVW/N/Tz+55rTzqzA0MftckdvzNy1N8mb
rsnfbMk822rZkPJHShZJjL5SYQnrZWKX/CUAbIDMnFGT
UgRKOoB4zhlI6jGDXI+KnvGnZC1TcXSGkXOiybLCjGtU
8YMOl0nFezvFqW0URKmKEk8dvTLjYgULIg== )
usembassy.gov. 15768000 IN RRSIG DNSKEY 7 2 15768000 (
20160924193926 20150925183927 62912 usembassy.gov.
S/P5KZu2AzibIQw/ctH1fZR8kMrS8onsURxyPIpONkxX
dWCO1G/5tRVLguD1yxcK98mBje2hKFdD+9DC88PYwp9l
EtZHNlKHrtXrNYajnLYZYCKiAazYGv73TQYPVP9PyN5s
k1DsXrg+ZyNCQbuKN8l6qugmoagiJLJXeaI0yQ8= )
Is there anyone here who can help to at least put the old DS records on the
parent zone?
Kind regards,
Mauricio
--
Mauricio Vergara Ereche
Los Angeles, CA
http://mave.cero32.cl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150925/025baebc/attachment.html>
More information about the dns-operations
mailing list