[dns-operations] anybody awake over at comcast.net?

Paul Vixie vixie at fsi.io
Mon Feb 8 06:22:49 UTC 2021


my IPv6 PTRs are failing, and like last time, it's a signature
expiration upstream of my zone:

> 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (68.87.68.244, 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103, 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_KN)
> RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature Expiration field of the RRSIG RR (2021-02-03 13:23:52+00:00) is 4 days in the past.
> RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature Expiration field of the RRSIG RR (2021-02-03 13:23:52+00:00) is 4 days in the past.

see also a lot of warnings about signing alg 5 and digest alg 1:

> https://dnsviz.net/d/3.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/
uptime needed.

vixie

-- 
Are you in?   https://labs.fsi.io/



More information about the dns-operations mailing list