[dns-operations] slack.com bogus
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Sep 30 22:39:56 UTC 2021
> On 30 Sep 2021, at 6:31 pm, Michael Sinatra <michael at brokendns.net> wrote:
>
> Given that there are still reports of resolvers out there with cached DS records, has anyone who may be in contact with the Slack admins advised them to bring back the DNSKEY records and RRSIGs without bringing back the DS records? Once the negative cache ttl expires (5 min according to the SOA minimum), people will start resolving and validating stuff again, rather than having to force-flush or wait for the 24 hour DS TTL to expire. (By my calculation, we still have 17 hours to go, vs. 5 minutes.)
I would certainly hope they know this, which does make the failure to
bring back the DNSKEY RRs rather a mystery. The only plausible explanation
would be a failure that wiped the keys and all usable signed copies of the
zone (master and slave). No idea how that happens.
I'd have to have been "a series of unfortunate events"...
--
Viktor.
More information about the dns-operations
mailing list