On Tue, Jul 18, 2023, 3:47 PM Mark Andrews <[email protected]> wrote: > > > If you have stale DS’s then you will get validation failures if the child > zone had already remove the DNSKEYs those DS refer to. >
The second level domain in question didn't have a DS at all. The problem, as far as I could tell, was that the RRSIG on the NSEC3 from the com nameservers was expired and therefore could not be validated. This broke the unsigned second level domain for any resolver validating dnssec. Gavin
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
