ietf
[Top] [All Lists]

Re: irtf.org DNSSEC signatures (partly) expired

2015-11-07 15:10:17
Dear Mr. Dukhovni:

I'll open a trouble ticket with Afilias; however, for the moment, I
have re-signed all the files locally, and done a serial number
increment, and pushed them to Afilias.  I will watch to see if that
clears it.

Also, please let me remind everyone on the list that the reporting
address for things of this type is ietf-action(_at_)ietf(_dot_)org.

Thanks,
Glen
Glen Barney
IT Director
AMS (IETF Secretariat)

On Sat, Nov 7, 2015 at 12:54 PM, Viktor Dukhovni 
<ietf-dane(_at_)dukhovni(_dot_)org> wrote:
It looks like master -> slave DNS updates are failing, only the master
nameserver has unexpired signatures:

    http://dnsviz.net/d/irtf.org/dnssec/

However, all the nameservers report the same SOA serial as the master:

    $ dig -t ns +noall +ans +nocl +nottl irtf.org @ns0.amsl.com.
    irtf.org.           NS      ns0.amsl.com.
    irtf.org.           NS      ns1.ams1.afilias-nst.info.
    irtf.org.           NS      ns1.hkg1.afilias-nst.info.
    irtf.org.           NS      ns1.mia1.afilias-nst.info.
    irtf.org.           NS      ns1.sea1.afilias-nst.info.
    irtf.org.           NS      ns1.yyz1.afilias-nst.info.

    $ dig -t soa +noall +ans +nocl +nottl irtf.org @ns0.amsl.com.
    irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
1800 604800 1800

    $ while read ns; do dig -t soa +noall +ans +nocl +nottl irtf.org @$ns; 
done <<-EOF
        ns1.ams1.afilias-nst.info.
        ns1.hkg1.afilias-nst.info.
        ns1.mia1.afilias-nst.info.
        ns1.sea1.afilias-nst.info.
        ns1.yyz1.afilias-nst.info.
        EOF
    irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
1800 604800 1800
    irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
1800 604800 1800
    irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
1800 604800 1800
    irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
1800 604800 1800
    irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
1800 604800 1800

So perhaps the master zone resigning is no longer updating the SOA
record.  In any case, DNS resolution for irtf.org is mostly down.

--
        Viktor.