I wish I had the foresight to same the dig traces....
But, on Tuesday we had a strange DNS outage.
I have 3 outside facing authoritative-only nameservers named ns-1.ksu.edu,
ns-2.ksu.edu, ns-3.ksu.edu, which are all slaves off our hidden master
server.
that in addition to being the authority for ksu.edu, is the authority for
many other zones....such as kstatesports.com.
Our KSK rollover was the month of July, but the business office person that
has access to our registrars did't update to our new KSK. by the 31st. (the
actual inactivation was August 2nd at 1am...should've been August 1st, but
the script had failed to run automatically for previous KSK rollover, but got
it to run the following day...though it again didn't work for this KSK
rollover...)
However I noticed that the zone file on my slaves had a July 28th timestamp.
which is odd, because the routine resiging had run in the morning of the 31st
(Friday mornings by cron)
So, in running some tests....I found that "dig +trace kstatesports.com" would
get to ns-1.ksu.edu show couple NSEC3 records and stop.
I then tried "dig +trace +nodnssec kstatesports.com" and it resolved.
Oh....wonder why I hadn't tried doing dig after I got things temporarily
working again.
I see now that I got two NSEC3 records, and their corresponding RRSIG
records.
So, what's the reason for needing those NSEC3's in getting to
kstatesports.com? And, what was the cause for no RRSIG's. Is the timing
part of the signing or was it past its half life to stop these other domains,
but not resolutions in from the ksu.edu zone
------
Only our .edu domains are signed. Though in the future we might start
signing everything....except our reverse IP space. Who knew that ARIN was
going to disallow role accounts from making changes, where we only have role
accounts as contacts for our IP space. (was probably before I knew of such
things, like their take over of things...)
Like while I'm the only individual contact for a former employer's IP space,
but they require proof of the company's existance and that I'm part of the
company....before they can process my request to release the IP space. But
the company went out business in early 2001. Some company in Japan seems to
be squatting on our old domain (I recall our business manager suddenly
finding that we had to pay to keep our domain. But, seems to be I didn't
hear about ARIN wanting money for IP space just before my first LISA (2007),
where I found person from ARIN surround by admins
discussing,asking,screaming,etc. about them want to suddenly charge lots of
money for their (pre-ARIN) assignments, etc. Or perhaps it was my second
LISA in 2008... Hmm, probably 2007 when there was lots of news that ipv4 was
about to run out.... where we finally did last month? Wonder how long before
I'll get around to doing IPv6..at home...
I actually tried to release it twice, somehow I forgot why they wouldn't let
me the first time. They also won't let me remove the company info without
some kind of impossible proof...from the company to allow it. Wasn't until
their request for proof the companies existence that I remembered that I had
run into the problem before.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
with LOPSA Professional Recognition.
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
