Hi everyone,
I'm amplifying this post to here as I think this issue is starting to become
a threat to the reputation of DNSSEC and will thus hinder DNSSEC deployment.
In short, going insecure over at .ORG is dangerous and may kill your domain.
And if I were to ponder DNSSEC signing new domains, lacking the ability to
go back would certainly make me ponder the wisdom of signing my domains.
Valiant attempts have been made to get the registry to fix this issue to no
avail so far.
If you know anyone that can help with fixing this situation in the .ORG
signer, please do so.
Bert
PowerDNS
----- Forwarded message from Peter van Dijk <peter.van.d...@powerdns.com> -----
Date: Fri, 07 Apr 2017 22:27:47 +0200
From: Peter van Dijk <peter.van.d...@powerdns.com>
To: dns-operations <dns-operati...@dns-oarc.net>
Subject: Re: [dns-operations] .org dnssec issue?
X-Mailer: MailMate (1.9.6r5347)
On 6 Feb 2017, at 14:44, Peter van Dijk wrote:
> The NSEC3 indeed says a DS should be there, but there is none.
> Incidentally whois says the domain is ‘unsigned’.
>
> This is indeed a .org issue, looks like a signer bug.
For those who care, this .org bug remains unfixed. I keep getting reports,
roughly weekly, of domains going bogus in .org after DS removal, because DS
remains in the NSEC3 bitmap.
Here is a dnsviz snapshot from an affected domain yesterday:
http://dnsviz.net/d/digidoc4j.org/WOYxhQ/dnssec/
There is no known workaround for a domain owner. This issue unsurprisingly
also affects .info.
Here is a different .info bug from a month ago as well:
http://dnsviz.net/d/www.michiganorganizer.info/WMnilQ/dnssec/
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
dns-operations mailing list
dns-operati...@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
----- End forwarded message -----
