[dns-operations] .org dnssec issue?
bortzmeyer at nic.fr
Mon Feb 6 13:55:16 UTC 2017
On Mon, Feb 06, 2017 at 01:58:49PM +0100,
Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote
a message of 56 lines which said:
> I cannot resolve geant.org on a validating resolver.
Same for me (BIND, Knot or Unbound).
> DNSviz said (http://dnsviz.net/d/geant.org/WJhvCw/dnssec/):
> * NSEC3 proving non-existence of geant.org/DS: The DS bit was set
> in the bitmap of the NSEC3 RR corresponding to the delegated name
> (geant.org). * NSEC3 proving non-existence of geant.org/DS: The DS
> bit was set in the bitmap of the NSEC3 RR corresponding to the
> delegated name (geant.org).
> So, is this a .org issue?
It seems so. The DS record for geant.org was removed yesterday, around
2017-02-05 20:00:00 UTC. It seems that the technique used by .org for
dynamic signing does not handle this (rare) case very well.
More information about the dns-operations