Bert et. al., Apologies for the late response. Afilias is aware of issues concerning the persistence of Delegation Signer (DS) records in the DNS running on Afilias’ servers.
We're in receipt of a vendor patch to solve the issue. We expect to deploy this patch in the coming week or two. We will continue to deal with it on a case-by-case basis when it occurs. We appreciate your patience, and will send an update to the list when the problem has been fully corrected. -Howard > On Apr 7, 2017, at 4:16 PM, bert hubert <[email protected]> wrote: > > Hi everyone, > > I'm amplifying this post to here as I think this issue is starting to become > a threat to the reputation of DNSSEC and will thus hinder DNSSEC deployment. > > In short, going insecure over at .ORG is dangerous and may kill your domain. > And if I were to ponder DNSSEC signing new domains, lacking the ability to > go back would certainly make me ponder the wisdom of signing my domains. > > Valiant attempts have been made to get the registry to fix this issue to no > avail so far. > > If you know anyone that can help with fixing this situation in the .ORG > signer, please do so. > > Bert > PowerDNS > > ----- Forwarded message from Peter van Dijk <[email protected]> > ----- > > Date: Fri, 07 Apr 2017 22:27:47 +0200 > From: Peter van Dijk <[email protected]> > To: dns-operations <[email protected]> > Subject: Re: [dns-operations] .org dnssec issue? > X-Mailer: MailMate (1.9.6r5347) > > On 6 Feb 2017, at 14:44, Peter van Dijk wrote: > >> The NSEC3 indeed says a DS should be there, but there is none. >> Incidentally whois says the domain is ‘unsigned’. >> >> This is indeed a .org issue, looks like a signer bug. > > For those who care, this .org bug remains unfixed. I keep getting reports, > roughly weekly, of domains going bogus in .org after DS removal, because DS > remains in the NSEC3 bitmap. > > Here is a dnsviz snapshot from an affected domain yesterday: > http://dnsviz.net/d/digidoc4j.org/WOYxhQ/dnssec/ > > There is no known workaround for a domain owner. This issue unsurprisingly > also affects .info. > > Here is a different .info bug from a month ago as well: > http://dnsviz.net/d/www.michiganorganizer.info/WMnilQ/dnssec/ > > Kind regards, > -- > Peter van Dijk > PowerDNS.COM BV - https://www.powerdns.com/ > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-operations mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > ----- End forwarded message -----
