> somebody complained that our resolvers could no longer resolve > energystar.gov > > https://dnssec-analyzer.verisignlabs.com/energystar.gov > > It seems the reports of the crumbling security of the .gov domain as a > side-effect of the shutdown aren't exaggerated: > > https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html > > Or am I doing something wrong?
It's not just you; their DNSSEC signatures have expired: bash-4.4$ dig energystar.gov. ns +norec ... ;; AUTHORITY SECTION: energystar.gov. 86158 IN NS ns1.energystar.gov. energystar.gov. 86158 IN NS ns2.energystar.gov. ;; ADDITIONAL SECTION: ns1.energystar.gov. 86158 IN A 162.159.24.254 ns2.energystar.gov. 86158 IN A 162.159.25.236 ns1.energystar.gov. 86158 IN AAAA 2400:cb00:2049:1::a29f:18fe ns2.energystar.gov. 86158 IN AAAA 2400:cb00:2049:1::a29f:19ec ... bash-4.4$ dig @162.159.24.254 energystar.gov. ns +norec +dnssec ... ;; ANSWER SECTION: energystar.gov. 14400 IN NS ns1.energystar.gov. energystar.gov. 14400 IN NS ns2.energystar.gov. energystar.gov. 14400 IN RRSIG NS 8 2 14400 20190113050003 20181204050003 9423 energystar.gov. kB3zF7HOZBskMLHZ4jDO0rLwIklEnkJQfxTJBKKRyw6QPWtK/QdzCgRr QIfkPl7osIoETk0HmAasJMfnOXQ2OIfT/NILhiltI2mYpjVdbjgpmvsR 2SOqzdpxMITDHl2dX7zrB6gN8Sa6jpaWz7z/y4VhP9shC+5rm3xEDsoe dOYq/0484Lu+gerxFEp9nF+0xROxpUGPJiJyPxzvimcDZ3Swyk/jZtVt ltkDKAfvCSpq9XgxMFwNtpegRrk6duz0z4ccePhv67xY/ZKXu0bF7CLs zKp2XFVjCk0iK9CePte+Z43qvDllmZAy6xZgqsni8bmqgDeATOxozNEX f4uQkw== ... Clearly, we're past 2019.01.13 by now. I'm however surprised their DNSSEC signature renewal doesn't appear to have been fully automated. Regards, - HÃ¥vard
