Re: irtf.org DNSSEC signatures (partly) expired

Dear IETF List -

I apologize for the noise and confusion.  Mr Dukhovni did not address
his email to the IETF list; however, he did send his email with a
manually-configured Reply-to: header set to the list.  I should have
noticed that when replying.

At any rate, DNS for the IRTF is not down, it does appear to be
functioning correctly, and other test sites confirm it.  The site
referenced in Mr. Dukhovni's email, dataviz.net, appeared to have been
caching old results.

I'll be sure I check for any "customized" headers before replying to
any future trouble reports I receive.

Thanks,
Glen
Glen Barney
IT Director
AMS (IETF Secretariat)


On Sat, Nov 7, 2015 at 1:09 PM, Glen <glen(_at_)amsl(_dot_)com> wrote:
> Dear Mr. Dukhovni:
>
> I'll open a trouble ticket with Afilias; however, for the moment, I
> have re-signed all the files locally, and done a serial number
> increment, and pushed them to Afilias.  I will watch to see if that
> clears it.
>
> Also, please let me remind everyone on the list that the reporting
> address for things of this type is ietf-action(_at_)ietf(_dot_)org.
>
> Thanks,
> Glen
> Glen Barney
> IT Director
> AMS (IETF Secretariat)
>
> On Sat, Nov 7, 2015 at 12:54 PM, Viktor Dukhovni 
> <ietf-dane(_at_)dukhovni(_dot_)org> wrote:
> > It looks like master -> slave DNS updates are failing, only the master
> > nameserver has unexpired signatures:
> >
> >     http://dnsviz.net/d/irtf.org/dnssec/
> >
> > However, all the nameservers report the same SOA serial as the master:
> >
> >     $ dig -t ns +noall +ans +nocl +nottl irtf.org @ns0.amsl.com.
> >     irtf.org.           NS      ns0.amsl.com.
> >     irtf.org.           NS      ns1.ams1.afilias-nst.info.
> >     irtf.org.           NS      ns1.hkg1.afilias-nst.info.
> >     irtf.org.           NS      ns1.mia1.afilias-nst.info.
> >     irtf.org.           NS      ns1.sea1.afilias-nst.info.
> >     irtf.org.           NS      ns1.yyz1.afilias-nst.info.
> >
> >     $ dig -t soa +noall +ans +nocl +nottl irtf.org @ns0.amsl.com.
> >     irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
> > 1800 604800 1800
> >
> >     $ while read ns; do dig -t soa +noall +ans +nocl +nottl irtf.org @$ns; 
> > done <<-EOF
> >         ns1.ams1.afilias-nst.info.
> >         ns1.hkg1.afilias-nst.info.
> >         ns1.mia1.afilias-nst.info.
> >         ns1.sea1.afilias-nst.info.
> >         ns1.yyz1.afilias-nst.info.
> >         EOF
> >     irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
> > 1800 604800 1800
> >     irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
> > 1800 604800 1800
> >     irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
> > 1800 604800 1800
> >     irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
> > 1800 604800 1800
> >     irtf.org.           SOA     ns0.amsl.com. glen.amsl.com. 1200000226 1800 
> > 1800 604800 1800
> >
> > So perhaps the master zone resigning is no longer updating the SOA
> > record.  In any case, DNS resolution for irtf.org is mostly down.
> >
> > --
> >         Viktor.