[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon May 4 20:23:21 UTC 2020
On Mon, May 04, 2020 at 04:01:41PM -0400, Viktor Dukhovni wrote:
> On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote:
>
> > I noticed, that the DNSSEC signed Domains under top-Level Domain fr.
> > failed since about 4 hours.
>
> Indeed, there does seem to be a problem with expired DS RR signatures.
> A random sample of 1000 .fr child domains (out of 398,564 total known
> to me signed .fr domains) returns DS lookup ServFail for 205 of them.
>
> The associated RRSIG expiration times are:
>
> 204 20200504145605
> 1 20200504174835
All 205 expired DS RRsets from the initial sample now have a DS RRSIG
with an expiration time of 20200703184136 (retrieved directly from
authoritative .FR servers). So it looks like progress is being made to
resolve this.
--
Viktor.
More information about the dns-operations
mailing list