Fantastic! thanks a lot guys. I had forgotten that I did setup dnssec on this zone a while back.
Thanks, Mohamed. On Wed, Jul 2, 2014 at 7:15 AM, Jim Reid <[email protected]> wrote: > On 2 Jul 2014, at 11:29, Mohamed Lrhazi <[email protected]> wrote: > > > I am sure I messed up something, but cant figure out what! Some DNS > > servers, notably Google's, return SERVFAIL, since a couple of days now. > > DNSSEC for gu.edu appears to be broken. google's 8.8.8.8 service does > DNSSEC validation. SERVFAILs get returned when validation fails. FWIW my > name servers also do DNSSEC validation and they get SERVFAILs for your > domain too. > > It looks to me like someone/something rolled gu.edu's KSK and forgot to > get the parent delegation updated. .edu has one DS record for gu.edu > which is for a key with fingerprint 3078. None of the DNSKEYs in gu.edu > have that footprint. This makes it impossible to validate any signed data > under gu.edu: > > % drill -TD gu.edu ns > ... > [T] gu.edu. 86400 IN DS 3078 7 1 b4c9fb14d6519c3ece5cc43e80c463d5847d73ed > ;; Domain: gu.edu. > ;; Signature ok but no chain to a trusted key or ds record > [S] gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 35043 (ksk), size = 2048b} > gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 39339 (ksk), size = 2048b} > gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 25247 (zsk), size = 2048b} > gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 38702 (zsk), size = 2048b} > > >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
