On May 21 2012, Livingood, Jason wrote:
[...]
Upcoming Removal of Three Negative Trust Anchors
Monday, May 21, 2012
Comcast plans to remove three separate Negative Trust Anchors
[...]
* fbo.gov
- Negative Trust Anchor added 4/23/12
- Issue appears due to expired keys in the domain
- DNSViz report at http://dnsviz.net/d/fbo.gov/T7YMCQ/dnssec/
One of the three authoritative nameservers (ns04.symplicity.com) has
expired signatures (not *keys*, damnit!), the other two are currently
fine, although all three claim the same SOA serial for the zone.
A validating recursive BIND doesn't seem to have any trouble with this.
Some of the DNSSEC checking sites seem not to try all the nameservers,
at least by default.
--
Chris Thompson University of Cambridge Computing Service,
Email: [email protected] New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
