US DNSSEC Key
Casey Deccio
casey at deccio.net
Wed Dec 1 16:55:26 UTC 2010
On Wed, Dec 1, 2010 at 7:36 AM, John Williams <john.1209 at yahoo.com> wrote:
> I'm being told there is an RSA verification failure on the .US domain. I''m
> getting details from the following; http://dnsviz.net/d/us/dnssec/ I have a
> signed zone under us. How does this affect my domain and other signed zones
> under .US?
>
It shouldn't affect things, as it is currently configured, since the
invalid signature is not a necessary link in the chain of trust. The
SEP key (id=2058) matching the DS RRs properly authenticates the
DNSKEY RRset, so the signature covering the DNSKEY RRset made by key
23777 is irrelevant.
However, the fact that the signature is invalid might raise some
eyebrows, as it might be a symptom of something else that may cause
errors in the future. The .us support is probably the right group to
ask about it.
Casey
More information about the bind-users
mailing list