[dns-operations] Question on DNSSEC Failures

Mukund Sivaraman muks at mukund.org
Fri Jun 15 12:00:01 UTC 2018


On Fri, Jun 15, 2018 at 01:21:52PM +0200, Anthony Eden wrote:
> I have a zone where keys are currently in rotation[1], with the old keys
> (both KSK and ZSK) at 1024 bits and the new keys (both KSK and ZSK) at 2048
> bits [2]. DNSSEC validating resolvers such as Google's public resolvers are
> currently returning SERVFAIL. [3]
> 
> I am trying to determine why the lookups are failing at resolvers. Is this
> due to the truncation and requirement to switch to TCP? Do I need to reduce
> the bit size to something between 1024 and 2048?

See the errors at: http://dnsviz.net/d/avisi.net/dnssec/

		Mukund



More information about the dns-operations mailing list