[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

Gavin McCullagh gmccullagh at gmail.com
Wed Jul 19 01:35:36 UTC 2023


On Tue, Jul 18, 2023, 3:47 PM Mark Andrews <marka at isc.org> wrote:

>
>
> If you have stale DS’s then you will get validation failures if the child
> zone had already remove the DNSKEYs those DS refer to.
>


The second level domain in question didn't have a DS at all.  The problem,
as far as I could tell, was that the RRSIG on the NSEC3 from the com
nameservers was expired and therefore could not be validated.  This broke
the unsigned second level domain for any resolver validating dnssec.

Gavin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230718/9666522d/attachment.html>


More information about the dns-operations mailing list