[dns-operations] Fortinet contact? Problems with their public resolvers
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jun 12 18:04:12 UTC 2018
> On Jun 12, 2018, at 12:12 PM, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>
> Their resolvers quite often return SERVFAIL for DNSSEC signed zones, and
> we are quite sure that the zones are signed correct and the
> authoritative name servers respond correct (see below).
>
> $ dig @208.91.112.53 dnssec-signiert.at
I don't have a contact to suggest, but one might speculate as
to the cause based on features of the data. The only "modern"
feature I see that might plausibly give old software indigestion:
* The DS RRset is SHA2 only
The KSK is 2048-bit RSA-SHA1-NSEC3 (7) and ZSK is 1024-bit
RSA-SHA1-NSEC3, these seem unlikely to cause grief. The DNSKEY
TTL is only 5 minutes, which seems needlessly short, but should
also not cause grief.
--
Viktor.
More information about the dns-operations
mailing list