[dns-operations] DNSSEC broken for .mm

Peter van Dijk peter.van.dijk at powerdns.com
Fri Oct 13 11:19:46 UTC 2017


(in To: the contact from https://www.iana.org/domains/root/db/mm.html. 
In Cc: dns-operations.)

DNSViz before it broke: http://dnsviz.net/d/mm/WYwFdQ/dnssec/ (note the 
10 August date and June serial)
DNSViz after it broke: http://dnsviz.net/d/mm/WYxNzw/dnssec/ (note the 
10 August serial)

Starting 2017-08-10 somewhere between 7 and 12 UTC, 3 of the 4 auths for 
.mm stopped providing a signature for their SEP - the DNSKEY with tag 
14581, as seen in the DS in the root zone. This means that validators 
either need to do a lot of extra work to get a valid chain, or they 
might even consider the whole TLD bogus. The secondary RIPE runs for you 
has the same serial but appears to somehow have ended up with a correct 
copy of the zone.

Can you please have a look? Thank you

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list