dnssec issue

Sven Van Dyck sven.van.dyck at
Wed Mar 10 10:59:53 UTC 2021

Imperva/Incapsula which hosts a web application firewall (WAF) with many 
customers having a CNAME configured towards a record in their domain, Incapsula had very recently DNSSEC configured on this 
zone; but last night the RRSIG on the DNSKEY record has expired; leaving 
every website behind unreachable for users of a validating 
DNS resolver. As a quick solution, Incapsula has removed the DS record 
from the parent zone, .net.  But, this record is still in many DNS 
caches (TTL=1 day).
Therefore, the question if it is possible for validating resolver 
maintainers to clear the cache of this DS record for the domain

*Sven Van Dyck*
*System Engineer*
+32 16 28 49 74
** <>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dns-operations mailing list