[dns-operations] DNSSEC broken for .mm
Peter van Dijk
peter.van.dijk at powerdns.com
Fri Oct 13 11:19:46 UTC 2017
Hello,
(in To: the contact from https://www.iana.org/domains/root/db/mm.html.
In Cc: dns-operations.)
DNSViz before it broke: http://dnsviz.net/d/mm/WYwFdQ/dnssec/ (note the
10 August date and June serial)
DNSViz after it broke: http://dnsviz.net/d/mm/WYxNzw/dnssec/ (note the
10 August serial)
Starting 2017-08-10 somewhere between 7 and 12 UTC, 3 of the 4 auths for
.mm stopped providing a signature for their SEP - the DNSKEY with tag
14581, as seen in the DS in the root zone. This means that validators
either need to do a lot of extra work to get a valid chain, or they
might even consider the whole TLD bogus. The secondary RIPE runs for you
has the same serial but appears to somehow have ended up with a correct
copy of the zone.
Can you please have a look? Thank you
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list