<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div>Hi @All. <div class=""><br class=""></div><div class="">I'm flying back from DNS-OARC and will try shepherding the mentioned networks towards valid configurations when I get back to Brazil. </div><div class="">Just a heads-up that <a href="http://jus.br" class="">jus.br</a> is not a single domain, it's a zone dedicated to courts where DNSSEC is mandatory. Initial delegation requires correctness before being introduced into our zone files, but later on users can unfortunately do a myriad of odd things. </div><div class=""><br class=""></div><div class="">The listed domains are from 3 different state courts and one federal court, and they seem to have different failure modes. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Rubens</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On May 15, 2017, at 7:28 PM, Marcus Grando <<a href="mailto:marcus@sbh.eng.br" class="">marcus@sbh.eng.br</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi Viktor, you can reach Rubens Kuhl or Frederico Neves cc'ed. They can indicate the right guys and flow.<div class=""><br class=""></div><div class="">Best regards</div><div class="gmail_extra"><div class=""><div class="m_-828507485007006529gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><br class=""></div></div></div></div></div></div></div></div></div><div class="gmail_quote">On Mon, May 15, 2017 at 12:11 PM, Viktor Dukhovni <span dir="ltr" class=""><<a href="mailto:ietf-dane@dukhovni.org" target="_blank" class="">ietf-dane@dukhovni.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div style="word-wrap:break-word" class=""><div class="">Below (attached JPEG) is a portion of the DNSViz display for</div><div class=""><br class=""></div><div class=""><span class="m_-828507485007006529m_-2022849709534756535Apple-tab-span" style="white-space:pre-wrap">        </span><a href="http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/" target="_blank" class="">http://dnsviz.net/d/_25._tcp.m<wbr class="">x1.trtrj.jus.br/dnssec/</a></div><div class=""><br class=""></div><div class="">which exhibits an impressive array of issues:</div><div class=""><br class=""></div><div class=""><span id="cid:1A6F7297-61BF-4331-8259-4E0142572FAF@lan"><jus2.br.jpg></span></div><div class=""><br class="">Similar mess at:<br class=""><br class=""><span class="m_-828507485007006529m_-2022849709534756535Apple-tab-span" style="white-space:pre-wrap">  </span><a href="http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/" target="_blank" class="">http://dnsviz.net/d/_25._tcp.m<wbr class="">x1.trt1.jus.br/dnssec/</a><br class=""><br class="">Also less severe issues at:<br class=""><br class="">  <a href="http://dnsviz.net/d/_25._tcp.mx2.tjce.jus.br/dnssec/" target="_blank" class="">http://dnsviz.net/d/_25._tcp.m<wbr class="">x2.tjce.jus.br/dnssec/</a>     (Bad SOA RRSIG)<br class="">  <a href="http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/" target="_blank" class="">http://dnsviz.net/d/_25._tcp.l<wbr class="">alavava.tse.jus.br/dnssec/</a> (Drops TLSA queries)<br class=""></div><div class=""><br class=""></div><div class="">I've not managed to reach responsive contacts for the associated domains:</div><div class=""><br class=""></div><div class=""><a href="http://trtrj.jus.br/" target="_blank" class="">trtrj.jus.br</a></div><div class=""><a href="http://trt1.jus.br/" target="_blank" class="">trt1.jus.br</a><br class=""><a href="http://tjce.jus.br/" target="_blank" class="">tjce.jus.br</a><br class=""><a href="http://tse.jus.br/" target="_blank" class="">tse.jus.br</a></div><div class=""><br class=""></div><div class="">If anyone in Brasil knows how to reach the right folks at <a href="http://jus.br/" target="_blank" class="">jus.br</a> or the specific</div><div class="">domains, please drop them a note.  These domains have longstanding DNS issues</div><div class="">that need to be addressed.</div><span class="m_-828507485007006529HOEnZb"><font color="#888888" class=""><div class=""><br class=""></div><div class="">-- <br class=""><span class="m_-828507485007006529m_-2022849709534756535Apple-tab-span" style="white-space:pre-wrap"> </span>Viktor.<br class=""></div><br class=""></font></span></div></div><br class="">______________________________<wbr class="">_________________<br class="">
dns-operations mailing list<br class="">
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank" class="">dns-operations@lists.dns-oarc.<wbr class="">net</a><br class="">
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-operations" rel="noreferrer" target="_blank" class="">https://lists.dns-oarc.net/mai<wbr class="">lman/listinfo/dns-operations<br class="">
dns-operations</a> mailing list<br class="">
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank" class="">https://lists.dns-oarc.net/mai<wbr class="">lman/listinfo/dns-operations</a><br class=""></blockquote></div><br class=""></div></div>
_______________________________________________<br class="">dns-operations mailing list<br class=""><a href="mailto:dns-operations@lists.dns-oarc.net" class="">dns-operations@lists.dns-oarc.net</a><br class="">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br class="">dns-operations mailing list<br class="">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</div></blockquote></div><br class=""></div></body></html>