[dns-operations] Enabling DNSSEC signing for pagerduty.com
Matt Nordhoff
lists at mn0.us
Wed Jun 7 11:03:13 UTC 2023
On Wed, Jun 7, 2023 at 6:09 AM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> On Tue, Jun 06, 2023 at 11:00:29AM -0600, Andy Smith via dns-operations wrote:
> > We (PagerDuty) are in the process of enabling DNSSEC signing across
> > our domains, and today (June 6th) we’re planning to enable it for
> > pagerduty.com and associated subdomains (e.g. eu.pagerduty.com). Given
> > the potential impact and the large number of organizations using our
> > services, we thought it would be a good idea to let people know it’s
> > happening in case any problems occur. If you do see any issues, feel
> > free to contact me directly or support via support at pagerduty.com.
>
> According to DNSViz: <https://dnsviz.net/d/pagerduty.com/ZIAdCA/dnssec/>
> sibling AAAA glue is missing for ns-474.awsdns-59.com. This is not
> something pagerduty.com can do anything about (except pass it along to
> AWS). Since I am not much of a fan of sibling glue anyway, not a
> problem really, but if there is IPv4 glue for an NS host it should
> also have IPv6 glue if the auth AAAA RR exists.
I tried to ask about that on the old AWS forum but Amazon didn't
really understand me. And then they deleted the forum. :-(
It's resolvable with extra queries on an IPv6-only network because the
awsdns-59.com zone itself uses nameservers with IPv6 glue (unless
those nameservers are all down) but it's still unfortunate.
They have some other issues outside of the Route 53 service, too.
(E.g. ns1.amzndns.com or ns1-ec2-rdns.amazonaws.com.)
--
Matt Nordhoff
More information about the dns-operations
mailing list