[dns-operations] geant.org dnssec

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Feb 7 08:23:14 UTC 2017

On Mon, Feb 06, 2017 at 05:08:38PM +0100,
 Dick Visser <dnmvisser at gmail.com> wrote 
 a message of 26 lines which said:

> And to my knowledge this is achieved by stop publishing a DS record
> in the parent zone.

Yes, this was the correct move.

> After reading the previously mentioned thread I found that it might be
> something in .org that off.

Yes, there is a bug in their signer. NSEC3 + dynamic signing is
obviously something complicated, and therefore brittle. Apparently,
the .org signer does not handle well the removal of a DS (not a
change, a complete removal of the set, something which is probably
uncommon and therefore less tested in the battlefield).
> Can someone from Afilias have a look at what was going on?

Indeed, a post-mortem report would be interesting.

More information about the dns-operations mailing list