[dns-operations] geant.org dnssec

Dick Visser dnmvisser at gmail.com
Mon Feb 6 16:08:38 UTC 2017


(I would like to continue the current thread '.org dnssec issue?' but
I just joined the list now and have no message to respond to, so I'm
starting a new thread)

We're experiencing some issues wrt. to our domain geant.org.
It's currently being run by Dutch ISP TransIP, who signs it.
This has been working fine, but we would like to move run the domain
ourselves on our own boxes.
To avoid any DNSSEC issues, we want to go unsigned before we change anything.
And to my knowledge this is achieved by stop publishing a DS record in
the parent zone.
So that's what I did this morning, I asked TransIP to remove the DS
record from .org, which seemed to happen.
Unfortunately not much later we started receiving complaints from
various users (using validating resolvers, which constitutes a large
number of users in the R&E community) that our domain broke for them.

After reading the previously mentioned thread I found that it might be
something in .org that off.

I've now managed to republish the DS record and things seem to be OK for now.

Can someone from Afilias have a look at what was going on?

Obviously I'm a bit wary to go unsigned again now...


Dick Visser
Sr. System & Network Engineer

More information about the dns-operations mailing list