[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.

Viktor Dukhovni ietf-dane at dukhovni.org
Mon May 4 20:23:21 UTC 2020


On Mon, May 04, 2020 at 04:01:41PM -0400, Viktor Dukhovni wrote:
> On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote:
> 
> > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. 
> > failed since about 4 hours.
> 
> Indeed, there does seem to be a problem with expired DS RR signatures.
> A random sample of 1000 .fr child domains (out of 398,564 total known
> to me signed .fr domains) returns DS lookup ServFail for 205 of them.
> 
> The associated RRSIG expiration times are:
> 
>         204 20200504145605
>           1 20200504174835

All 205 expired DS RRsets from the initial sample now have a DS RRSIG
with an expiration time of 20200703184136 (retrieved directly from
authoritative .FR servers).  So it looks like progress is being made to
resolve this.

-- 
    Viktor.


More information about the dns-operations mailing list