Hi everyone, I'm amplifying this post to here as I think this issue is starting to become a threat to the reputation of DNSSEC and will thus hinder DNSSEC deployment.
In short, going insecure over at .ORG is dangerous and may kill your domain. And if I were to ponder DNSSEC signing new domains, lacking the ability to go back would certainly make me ponder the wisdom of signing my domains. Valiant attempts have been made to get the registry to fix this issue to no avail so far. If you know anyone that can help with fixing this situation in the .ORG signer, please do so. Bert PowerDNS ----- Forwarded message from Peter van Dijk <peter.van.d...@powerdns.com> ----- Date: Fri, 07 Apr 2017 22:27:47 +0200 From: Peter van Dijk <peter.van.d...@powerdns.com> To: dns-operations <dns-operati...@dns-oarc.net> Subject: Re: [dns-operations] .org dnssec issue? X-Mailer: MailMate (1.9.6r5347) On 6 Feb 2017, at 14:44, Peter van Dijk wrote: > The NSEC3 indeed says a DS should be there, but there is none. > Incidentally whois says the domain is ‘unsigned’. > > This is indeed a .org issue, looks like a signer bug. For those who care, this .org bug remains unfixed. I keep getting reports, roughly weekly, of domains going bogus in .org after DS removal, because DS remains in the NSEC3 bitmap. Here is a dnsviz snapshot from an affected domain yesterday: http://dnsviz.net/d/digidoc4j.org/WOYxhQ/dnssec/ There is no known workaround for a domain owner. This issue unsurprisingly also affects .info. Here is a different .info bug from a month ago as well: http://dnsviz.net/d/www.michiganorganizer.info/WMnilQ/dnssec/ Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-operations mailing list dns-operati...@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-operations mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-operations ----- End forwarded message -----