[dns-operations] .org dnssec issue?

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Feb 6 13:55:16 UTC 2017


On Mon, Feb 06, 2017 at 01:58:49PM +0100,
 Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote 
 a message of 56 lines which said:

> I cannot resolve geant.org on a validating resolver.

Same for me (BIND, Knot or Unbound).

> DNSviz said (http://dnsviz.net/d/geant.org/WJhvCw/dnssec/):
>  * NSEC3 proving non-existence of geant.org/DS: The DS bit was set
> in the bitmap of the NSEC3 RR corresponding to the delegated name
> (geant.org).  * NSEC3 proving non-existence of geant.org/DS: The DS
> bit was set in the bitmap of the NSEC3 RR corresponding to the
> delegated name (geant.org).

> So, is this a .org issue?

It seems so. The DS record for geant.org was removed yesterday, around
2017-02-05 20:00:00 UTC. It seems that the technique used by .org for
dynamic signing does not handle this (rare) case very well.



More information about the dns-operations mailing list