[Unbound-users] Help troubleshooting validation failures on ca.gov domains.
Augie Schwer
augie.schwer at gmail.com
Thu Mar 22 22:10:41 UTC 2012
On Wed, Mar 21, 2012 at 7:53 PM, Olafur Gudmundsson <ogud at ogud.com> wrote:
> The first thing that jumps out is the domain is using 2 different DNSKEY
> algorithms this increases possiblity of mistakes.
> ALG 7 is in the record in parent with corresponding DNSKEY record signing
> the DNSKEY, but the key for algorithm 7 that signs the www.ca.gov A RRset is
> not in the DNSKEY RRset.
Indeed, what I didn't realize was that the site
http://dnsviz.net/d/www.ca.gov/dnssec/ was working on old data, when I
re-ran the report it reported like you said that they had signed their
RRset with a new un-published key.
It appears they have fixed their zone now, thanks for your help in
making sense of what happened.
--
Augie Schwer - Augie at Schwer.us - http://schwer.us
More information about the Unbound-users
mailing list