Is it me or does energystar.gov no longer validate?

Havard Eidnes he at uninett.no
Wed Jan 23 10:20:16 UTC 2019


> somebody complained that our resolvers could no longer resolve
> energystar.gov
>
> https://dnssec-analyzer.verisignlabs.com/energystar.gov
>
> It seems the reports of the crumbling security of the .gov domain as a
> side-effect of the shutdown aren't exaggerated:
>
> https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html
>
> Or am I doing something wrong?

It's not just you; their DNSSEC signatures have expired:

bash-4.4$ dig energystar.gov. ns +norec
...
;; AUTHORITY SECTION:
energystar.gov.         86158   IN      NS      ns1.energystar.gov.
energystar.gov.         86158   IN      NS      ns2.energystar.gov.

;; ADDITIONAL SECTION:
ns1.energystar.gov.     86158   IN      A       162.159.24.254
ns2.energystar.gov.     86158   IN      A       162.159.25.236
ns1.energystar.gov.     86158   IN      AAAA    2400:cb00:2049:1::a29f:18fe
ns2.energystar.gov.     86158   IN      AAAA    2400:cb00:2049:1::a29f:19ec
...
bash-4.4$ dig @162.159.24.254 energystar.gov. ns +norec +dnssec
...
;; ANSWER SECTION:
energystar.gov.         14400   IN      NS      ns1.energystar.gov.
energystar.gov.         14400   IN      NS      ns2.energystar.gov.
energystar.gov.         14400   IN      RRSIG   NS 8 2 14400 20190113050003 20181204050003 9423 energystar.gov. kB3zF7HOZBskMLHZ4jDO0rLwIklEnkJQfxTJBKKRyw6QPWtK/QdzCgRr QIfkPl7osIoETk0HmAasJMfnOXQ2OIfT/NILhiltI2mYpjVdbjgpmvsR 2SOqzdpxMITDHl2dX7zrB6gN8Sa6jpaWz7z/y4VhP9shC+5rm3xEDsoe dOYq/0484Lu+gerxFEp9nF+0xROxpUGPJiJyPxzvimcDZ3Swyk/jZtVt ltkDKAfvCSpq9XgxMFwNtpegRrk6duz0z4ccePhv67xY/ZKXu0bF7CLs zKp2XFVjCk0iK9CePte+Z43qvDllmZAy6xZgqsni8bmqgDeATOxozNEX f4uQkw==
...

Clearly, we're past 2019.01.13 by now.

I'm however surprised their DNSSEC signature renewal doesn't
appear to have been fully automated.

Regards,

- Håvard



More information about the Unbound-users mailing list