Maintained by: NLnet Labs

[Unbound-users] dfas.mil DNSSEC Failure

Phil Mayers
Fri Jun 28 16:24:31 CEST 2013


On 28/06/13 15:20, Phil Mayers wrote:
> On 28/06/13 14:47, Ehren Hawks wrote:
>
>> Their Unbound server fails just as mine do, but their BIND server
>> returns the A record. I’m reluctant to disable DNSSEC validation over
>> this one domain, considering there appears to be an actual problem.
>> Considering BIND as well as Google’s public DNS are validating this site
>> OK I figured it was worth bringing up.
>>
>> Any feedback is appreciated!
>
> It's working for me from here (bind 9.9, DNSSEC-validating). They might
> have fixed it - try flushing your cache or restarting unbound.
>

Just to add, it looks like they may have moved to NSEC3 recently. I've 
seen big problems when sites do this - lots of people seem to forget 
that changing key algorithms is a KSK rollover and comes with very tight 
TTL constraints; I note the TTLs on the DNSKEY in-zone are 86400. I bet 
they got over-keen and resigned too quickly.