cannot resolve oppedahl.com from uspto.gov domain
Bill Owens
owens at nysernet.org
Fri Feb 3 14:04:43 UTC 2012
On Fri, Feb 03, 2012 at 08:37:04AM -0500, Lear, Karen (Evolver) wrote:
> Beginning sometime within the past few days, uspto.gov domain cannot resolve oppedahl.com domain, but can resolve it from almost everywhere else. Some free websites (http://centralops.net/co/) cannot resolve it as well. I want to verify that uspto.gov doesn't need to correct anything on our end. When doing a dig, I can't get an IP address for their nameservers.
>
> By the way, they have published DNSSEC keys out there not in use. Last year, I had a few clients that couldn't connect to uspto.gov domain when I had published keys out there that I had not removed. Once I removed them, the problem was resolved. Do you think this could be the same case for oppedahl.com? I appreciate any help. Thx.
>From here it appears that oppedahl.com is signed correctly, with the small quirk that they have two DS records pointing to two KSKs, both valid, but only one of which has signed the DNSKEY RRSET. It's possible they are partway through a KSK rollover, though their serial number makes it look like the zone hasn't changed since last November. I wouldn't think that BIND 9.7.4 would have any issues with that. It might be worth looking at your logs, assuming you log DNSSEC errors (and if you don't, it's a good idea to start ;)
Bill.
More information about the bind-users
mailing list