subject:"\[gentoo\-dev\] DNSSEC errors on \*.bugs.gentoo.org"

[gentoo-dev] DNSSEC errors on *.bugs.gentoo.org

2013-01-24 Thread Michael Weber

Hello Robin,

looks like we have an little issue using DNSSEC for bugs.gentoo.org, but
not signing 339761.bugs.gentoo.org

`dig does-not-exist.bugs.gentoo.org @8.8.8.8`
  returns A record with AD flag.
`dig 339761.bugs.gentoo.org @8.8.8.8`
  returns A record w/o AD flag

Both work with local unbound resolver with forwarders removed.
It looks like stale, unsigned entries.

Did you change anything in the last n days?
Or is the cache of 141.1.1.1 and 8.8.8.8 really compromised?

How do you sign these wildcards anyway? Would be interested.

   Michael


[1] http://domainincite.com/2361-dnssec-to-kill-the-isp-wildcard

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber x...@gentoo.org

Re: [gentoo-dev] DNSSEC errors on *.bugs.gentoo.org

2013-01-24 Thread Michael Weber

On 01/24/2013 09:02 AM, Michael Weber wrote:
 Did you change anything in the last n days?
 Or is the cache of 141.1.1.1 and 8.8.8.8 really compromised?

Me culpa. Looks like these do not support AD now (or never did)
And my unbound always used the first resolver, which has AD.

As antarus pointed out, [1] and [2] report positive validation.

Michael

[1] http://dnssec-debugger.verisignlabs.com/339761.bugs.gentoo.org
[2] http://dnsviz.net/d/339761.bugs.gentoo.org/dnssec/

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber x...@gentoo.org

[gentoo-dev] DNSSEC errors on *.bugs.gentoo.org

Re: [gentoo-dev] DNSSEC errors on *.bugs.gentoo.org

2 matches

Site Navigation

Mail list logo

Footer information