[Unbound-users] dfas.mil DNSSEC Failure
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jun 28 14:24:31 UTC 2013
On 28/06/13 15:20, Phil Mayers wrote:
> On 28/06/13 14:47, Ehren Hawks wrote:
>
>> Their Unbound server fails just as mine do, but their BIND server
>> returns the A record. I’m reluctant to disable DNSSEC validation over
>> this one domain, considering there appears to be an actual problem.
>> Considering BIND as well as Google’s public DNS are validating this site
>> OK I figured it was worth bringing up.
>>
>> Any feedback is appreciated!
>
> It's working for me from here (bind 9.9, DNSSEC-validating). They might
> have fixed it - try flushing your cache or restarting unbound.
>
Just to add, it looks like they may have moved to NSEC3 recently. I've
seen big problems when sites do this - lots of people seem to forget
that changing key algorithms is a KSK rollover and comes with very tight
TTL constraints; I note the TTLs on the DNSKEY in-zone are 86400. I bet
they got over-keen and resigned too quickly.
More information about the Unbound-users
mailing list