Re: [Dnssec-deployment] DNSSEC validation failures for .KE

Fri, 03 Apr 2015 02:25:44 -0700 

Hi,

Actually some keys rollovers activities were initiated:

dig @ns1.coza.net.za  ke  dnskey  +multi |grep  KSK

                                ) ; KSK; alg = RSASHA1; key id = 30031
                                ) ; KSK; alg = RSASHA1; key id = 13246
                                ) ; revoked KSK; alg = RSASHA1; key id = 37599


The KSK, id 37471, which had DS in root zone, disappeared from the .ke zone, 
and new KSKs, DS  were not uploaded in root zone causing the validation 
failure. 

ke.                     86400   IN      DS      37471 5 1 
05BEACA628DC8A283B5C88612A0883AB862D1CBB


First action taken by KENIC was to contact IANA to  remove the .ke DS from root 
zone.

Meanwhile, options to restore the chain of trust  had been evaluated:

1- update DS in root zone to match the new KSKs
2- restore the old key, id= 37471

1) was not long an option, as a process has been triggered at IANA to remove 
the DS from root zone. 2) was executed and finally, the IANA's process has been 
completed.


Hope this helps

--Alain

 




On Mar 31, 2015, at 5:29 PM, Alice Munyua wrote:

> Thank you Dr. Lisse.
> Here is what I got from Kenic 
> 
> "
> Early today in the morning we noted unavailability of .ke domains. Most .ke 
> domains were not available and new domain registered had propagation issues.
> 
> This was caused by DNSSec setup  revoking DNSKEYS a month earlier than the 
> DNSKEY scheduled expiry date, making the DNSKEY unavailable in the .ke zone.
> 
> We have since resolved the issue and domains should be available now.
> 
> To ensure this does not happen in future we have disable Auto-DNSSec 
> maintenance and  we we will be maintaining DNSSec manually.
> 
> Incase you are still experiencing any issues kindly send us an email.
> 
> email: supp...@kenic.or.ke
> 
> We sincerely apologise for any inconveniences caused"
> 
> Best regards
> Alice
> 
> 
> 
> 
> On 31/03/2015 15:12, Dr Eberhard Lisse wrote:
>> Their web site, when reached under the IP
>> 
>> http://198.32.67.18/index.php?option=com_content&view=article&id=107&Itemid=530&catid=78
>> 
>> shows some numbers differing from the whois...
>> 
>> greetings, el
>> 
>> 
>> On 2015-03-31 13:37, Anand Buddhdev wrote:
>>> Wouter Wijngaards just alerted me to validation failures for .KE
>>> (Kenya).  I tried to call KENIC, but their phone numbers are all
>>> unreachable.
>>> 
>>> If anyone has local contacts in Kenya or nearby, please alert
>>> them!
>>> 
>>> http://dnsviz.net/d/ke/VRp4ag/dnssec/
>>> 
>>> Their current DS record points to a key that has the revoke bit
>>> set, but it is no longer signing the DNSKEY rrset.
>>> 
>>> Regards,
>>> 
>>> Anand Buddhdev RIPE NCC
>>> 
>

Reply via email to