On Fri, Feb 03, 2012 at 08:37:04AM -0500, Lear, Karen (Evolver) wrote: > Beginning sometime within the past few days, uspto.gov domain cannot resolve > oppedahl.com domain, but can resolve it from almost everywhere else. Some > free websites (http://centralops.net/co/) cannot resolve it as well. I want > to verify that uspto.gov doesn't need to correct anything on our end. When > doing a dig, I can't get an IP address for their nameservers. > > By the way, they have published DNSSEC keys out there not in use. Last year, > I had a few clients that couldn't connect to uspto.gov domain when I had > published keys out there that I had not removed. Once I removed them, the > problem was resolved. Do you think this could be the same case for > oppedahl.com? I appreciate any help. Thx.
>From here it appears that oppedahl.com is signed correctly, with the small >quirk that they have two DS records pointing to two KSKs, both valid, but only >one of which has signed the DNSKEY RRSET. It's possible they are partway >through a KSK rollover, though their serial number makes it look like the zone >hasn't changed since last November. I wouldn't think that BIND 9.7.4 would >have any issues with that. It might be worth looking at your logs, assuming >you log DNSSEC errors (and if you don't, it's a good idea to start ;) Bill. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
