[dns-operations] geant.org dnssec
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Feb 7 08:23:14 UTC 2017
On Mon, Feb 06, 2017 at 05:08:38PM +0100,
Dick Visser <dnmvisser at gmail.com> wrote
a message of 26 lines which said:
> And to my knowledge this is achieved by stop publishing a DS record
> in the parent zone.
Yes, this was the correct move.
> After reading the previously mentioned thread I found that it might be
> something in .org that off.
Yes, there is a bug in their signer. NSEC3 + dynamic signing is
obviously something complicated, and therefore brittle. Apparently,
the .org signer does not handle well the removal of a DS (not a
change, a complete removal of the set, something which is probably
uncommon and therefore less tested in the battlefield).
> Can someone from Afilias have a look at what was going on?
Indeed, a post-mortem report would be interesting.
More information about the dns-operations
mailing list