[dns-operations] Someone from Cloudflare here?

John Franklin franklin at sentaidigital.com
Tue Oct 27 01:01:49 UTC 2020


We've been having a problem since late last week (10/24) with a domain hosted at CF.   Somehow, the RRSIG covering the DNSKEY record has expired.  The DNSKEY record is available at the authoritative NS (sima), but ask anyone else and we get back SERVFAIL.  I'm not claiming either answer is wrong, just that the entire domain is inaccessible until a new RRSIG is generated for the DNSKEY.

What's the mechanism for resigning a DNSKEY key record?

$ dig +dnssec @sima.ns.cloudflare.com agrilinks.org DNSKEY

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;agrilinks.org.			IN	DNSKEY

;; ANSWER SECTION:
agrilinks.org.		3600	IN	DNSKEY	257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
agrilinks.org.		3600	IN	DNSKEY	256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
agrilinks.org.		3600	IN	RRSIG	DNSKEY 13 2 3600 20201024231704 20200825231704 2371 agrilinks.org. e1Gd3UjvzbN2HWnNrRgzHoeoGEg6+swFF3JKwoF1cTJrda/O2O9J8KbP SBJuWa6T7XjFXs+bXGipIJROwxr3Sw==


$ dig +dnssec @1.1.1.1 agrilinks.org DNSKEY

; <<>> DiG 9.10.6 <<>> +dnssec @1.1.1.1 agrilinks.org DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; OPT=15: 00 06 ("..")
;; QUESTION SECTION:
;agrilinks.org.			IN	DNSKEY

Thanks,
jf
-- 
John Franklin
franklin at sentaidigital.com





More information about the dns-operations mailing list