[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.

Thomas Dupas thomas.dupas at dnsbelgium.be
Mon May 4 20:40:05 UTC 2020

I'll leave it to Vincent/Afnic to answer on this more extensively once there is more clarity, but we noticed it as well a few hours ago for dnsbelgium.fr .
Mail + text message has been sent to Vincent and his colleagues at the time, they were looking into it.
I've been in contact with him again ~30 min ago, to be sure he knew.
They're aware; and working on it, would let them work on the issue at this phase instead of tracking the various channels.


From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Viktor Dukhovni <ietf-dane at dukhovni.org>
Sent: Monday, May 4, 2020 10:23 PM
To: dns-operations at dns-oarc.net <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.

On Mon, May 04, 2020 at 04:01:41PM -0400, Viktor Dukhovni wrote:
> On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote:
> > I noticed, that the DNSSEC signed Domains under top-Level Domain fr.
> > failed since about 4 hours.
> Indeed, there does seem to be a problem with expired DS RR signatures.
> A random sample of 1000 .fr child domains (out of 398,564 total known
> to me signed .fr domains) returns DS lookup ServFail for 205 of them.
> The associated RRSIG expiration times are:
>         204 20200504145605
>           1 20200504174835

All 205 expired DS RRsets from the initial sample now have a DS RRSIG
with an expiration time of 20200703184136 (retrieved directly from
authoritative .FR servers).  So it looks like progress is being made to
resolve this.

dns-operations mailing list
dns-operations at lists.dns-oarc.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200504/28fb4a02/attachment.html>

More information about the dns-operations mailing list