Re: [dns-operations] [EXTERNAL] anybody awake over at comcast.net?

[Feldman, Mark via dns-operations]

--- Begin Message ---

The best laid schemes...

When this last occurred, we re-signed (w/ZSK roll) manually, sure that we would 
have our ip6.arpa DNSSEC fully automated on a new platform shortly.  The 
results, unfortunately, speak for themselves.  Both the algs and the signature 
periods will be addressed when we get to automation on our new platform.   In 
the meantime, the zone is no longer bogus and a piece of bailing wire in the 
form of a calendar event has been put in place as a backstop just in case.

  Mark
  Comcast DNS


On 2/8/21, 1:28 AM, "dns-operations on behalf of Paul Vixie" 
<dns-operations-boun...@dns-oarc.net on behalf of vi...@fsi.io> wrote:

    my IPv6 PTRs are failing, and like last time, it's a signature
    expiration upstream of my zone:

    > 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs made by 
a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting 
in no secure entry point (SEP) into the zone. (68.87.68.244, 68.87.72.244, 
68.87.76.228, 68.87.85.132, 69.252.250.103, 2001:558:1004:7:68:87:85:132, 
2001:558:100a:5:68:87:68:244, 2001:558:100e:5:68:87:72:244, 
2001:558:1014:c:68:87:76:228, 2001:558:fe23:8:69:252:250:103, 
UDP_-_EDNS0_4096_D_KN)
    > RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature 
Expiration field of the RRSIG RR (2021-02-03 13:23:52+00:00) is 4 days in the 
past.
    > RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature 
Expiration field of the RRSIG RR (2021-02-03 13:23:52+00:00) is 4 days in the 
past.

    see also a lot of warnings about signing alg 5 and digest alg 1:

    > 
https://urldefense.com/v3/__https://dnsviz.net/d/3.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/__;!!CQl3mcHX2A!Rp188w6QRWyVqoxqeiczFjsVpQM6c6bMgbna3TZQWSsALU9C9kpRdHm5CfXa_YR-cR8$
    uptime needed.

    vixie

    --
    Are you in?   
https://urldefense.com/v3/__https://labs.fsi.io/__;!!CQl3mcHX2A!Rp188w6QRWyVqoxqeiczFjsVpQM6c6bMgbna3TZQWSsALU9C9kpRdHm5CfXa1ChGKPA$
    _______________________________________________
    dns-operations mailing list
    dns-operations@lists.dns-oarc.net
    
https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!CQl3mcHX2A!Rp188w6QRWyVqoxqeiczFjsVpQM6c6bMgbna3TZQWSsALU9C9kpRdHm5CfXat6HyC8o$

--- End Message ---

_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations