[EXTERNAL] [dns-operations] anybody awake over at comcast.net?

Feldman, Mark Mark_Feldman at comcast.com
Mon Feb 8 13:33:08 UTC 2021


The best laid schemes...

When this last occurred, we re-signed (w/ZSK roll) manually, sure that we would have our ip6.arpa DNSSEC fully automated on a new platform shortly.  The results, unfortunately, speak for themselves.  Both the algs and the signature periods will be addressed when we get to automation on our new platform.   In the meantime, the zone is no longer bogus and a piece of bailing wire in the form of a calendar event has been put in place as a backstop just in case.

  Mark
  Comcast DNS


On 2/8/21, 1:28 AM, "dns-operations on behalf of Paul Vixie" <dns-operations-bounces at dns-oarc.net on behalf of vixie at fsi.io> wrote:

    my IPv6 PTRs are failing, and like last time, it's a signature
    expiration upstream of my zone:

    > 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (68.87.68.244, 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103, 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_KN)
    > RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature Expiration field of the RRSIG RR (2021-02-03 13:23:52+00:00) is 4 days in the past.
    > RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature Expiration field of the RRSIG RR (2021-02-03 13:23:52+00:00) is 4 days in the past.

    see also a lot of warnings about signing alg 5 and digest alg 1:

    > https://urldefense.com/v3/__https://dnsviz.net/d/3.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/__;!!CQl3mcHX2A!Rp188w6QRWyVqoxqeiczFjsVpQM6c6bMgbna3TZQWSsALU9C9kpRdHm5CfXa_YR-cR8$
    uptime needed.

    vixie

    --
    Are you in?   https://urldefense.com/v3/__https://labs.fsi.io/__;!!CQl3mcHX2A!Rp188w6QRWyVqoxqeiczFjsVpQM6c6bMgbna3TZQWSsALU9C9kpRdHm5CfXa1ChGKPA$
    _______________________________________________
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net
    https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!CQl3mcHX2A!Rp188w6QRWyVqoxqeiczFjsVpQM6c6bMgbna3TZQWSsALU9C9kpRdHm5CfXat6HyC8o$





More information about the dns-operations mailing list