dnssec-delegation seems to be broken from .gov to bls.gov
Nick Tait
nick at tait.net.nz
Wed Dec 6 20:23:05 UTC 2023
On 7/12/2023 9:05 am, Nick Tait via bind-users wrote:
> I could be wrong, but based on the output above it looks like the
> current TTL is 0, which means that doing this should provide immediate
> relief.
Sorry it looks like the DNS server on the Wi-Fi network I'm connected to
has done something weird with the TTL.
This is what I get when querying one of the "gov." authoritative servers
directly:
$ dig -t ds bls.gov @a.ns.gov +norecurse
; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> -t ds bls.gov @a.ns.gov +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32241
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bls.gov. IN DS
;; ANSWER SECTION:
bls.gov. 3600 IN DS 50951 8 2 E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C
;; Query time: 16 msec
;; SERVER: 2001:503:ff40::1#53(a.ns.gov) (UDP)
;; WHEN: Thu Dec 07 09:19:24 NZDT 2023
;; MSG SIZE rcvd: 84
This means when you remove the DS record, it will take 1 hour to fully
take effect (assuming no delay replicating between authoritative servers).
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231207/3ce20c52/attachment.htm>
More information about the bind-users
mailing list