expired KSK, other domains failed to resolve?

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Thu Aug 6 08:16:04 UTC 2015 

I wish I had the foresight to same the dig traces....

But, on Tuesday we had a strange DNS outage.

I have 3 outside facing authoritative-only nameservers named ns-1.ksu.edu, 
ns-2.ksu.edu, ns-3.ksu.edu, which are all slaves off our hidden master 
server.

that in addition to being the authority for ksu.edu, is the authority for 
many other zones....such as kstatesports.com.

Our KSK rollover was the month of July, but the business office person that 
has access to our registrars did't update to our new KSK. by the 31st. (the 
actual inactivation was August 2nd at 1am...should've been August 1st, but 
the script had failed to run automatically for previous KSK rollover, but got 
it to run the following day...though it again didn't work for this KSK 
rollover...)

However I noticed that the zone file on my slaves had a July 28th timestamp.  
which is odd, because the routine resiging had run in the morning of the 31st 
(Friday mornings by cron)

So, in running some tests....I found that "dig +trace kstatesports.com" would 
get to ns-1.ksu.edu show couple NSEC3 records and stop.

I then tried "dig +trace +nodnssec kstatesports.com" and it resolved.

Oh....wonder why I hadn't tried doing dig after I got things temporarily 
working again.

I see now that I got two NSEC3 records, and their corresponding RRSIG 
records.

So, what's the reason for needing those NSEC3's in getting to 
kstatesports.com?  And, what was the cause for no RRSIG's.  Is the timing 
part of the signing or was it past its half life to stop these other domains, 
but not resolutions in from the ksu.edu zone

------

Only our .edu domains are signed.  Though in the future we might start 
signing everything....except our reverse IP space.  Who knew that ARIN was 
going to disallow role accounts from making changes, where we only have role 
accounts as contacts for our IP space. (was probably before I knew of such 
things, like their take over of things...)

Like while I'm the only individual contact for a former employer's IP space, 
but they require proof of the company's existance and that I'm part of the 
company....before they can process my request to release the IP space.  But 
the company went out business in early 2001.  Some company in Japan seems to 
be squatting on our old domain (I recall our business manager suddenly 
finding that we had to pay to keep our domain.  But, seems to be I didn't 
hear about ARIN wanting money for IP space just before my first LISA (2007), 
where I found person from ARIN surround by admins 
discussing,asking,screaming,etc.  about them want to suddenly charge lots of 
money for their (pre-ARIN) assignments, etc.  Or perhaps it was my second 
LISA in 2008...  Hmm, probably 2007 when there was lots of news that ipv4 was 
about to run out.... where we finally did last month?  Wonder how long before 
I'll get around to doing IPv6..at home...

I actually tried to release it twice, somehow I forgot why they wouldn't let 
me the first time.  They also won't let me remove the company info without 
some kind of impossible proof...from the company to allow it.  Wasn't until 
their request for proof the companies existence that I remembered that I had 
run into the problem before.

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
                                    with LOPSA Professional Recognition.
For: Enterprise Server Technologies (EST) -- & SafeZone Ally

More information about the bind-users mailing list