> On 30 Sep 2021, at 6:31 pm, Michael Sinatra <[email protected]> wrote:
>
> Given that there are still reports of resolvers out there with cached DS
> records, has anyone who may be in contact with the Slack admins advised them
> to bring back the DNSKEY records and RRSIGs without bringing back the DS
> records? Once the negative cache ttl expires (5 min according to the SOA
> minimum), people will start resolving and validating stuff again, rather than
> having to force-flush or wait for the 24 hour DS TTL to expire. (By my
> calculation, we still have 17 hours to go, vs. 5 minutes.)
I would certainly hope they know this, which does make the failure to
bring back the DNSKEY RRs rather a mystery. The only plausible explanation
would be a failure that wiped the keys and all usable signed copies of the
zone (master and slave). No idea how that happens.
I'd have to have been "a series of unfortunate events"...
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
