On Mon, May 21, 2012 at 3:09 PM, Chris Thompson <[email protected]> wrote:
> On May 21 2012, Livingood, Jason wrote: > > - Negative Trust Anchor added 4/23/12 >> - Issue appears due to expired keys in the domain >> - DNSViz report at >> http://dnsviz.net/d/fbo.gov/**T7YMCQ/dnssec/<http://dnsviz.net/d/fbo.gov/T7YMCQ/dnssec/> >> > > One of the three authoritative nameservers (ns04.symplicity.com) has > expired signatures (not *keys*, damnit!), the other two are currently > fine, although all three claim the same SOA serial for the zone. > > [...] > > Some of the DNSSEC checking sites seem not to try all the nameservers, > at least by default. > > Incidentally, I've (somewhat) recently made available on DNSViz a breakdown of RRsets within all the responses received for queries during an analysis, so it's easier to see which RRsets and RRSIGs (or lack thereof!) are returned with each response. It's still very much a work-in-progress, but hopefully it's helpful. http://dnsviz.net/d/fbo.gov/T7YMCQ/responses/ Regards, Casey
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
