We've been having a problem since late last week (10/24) with a domain hosted
at CF. Somehow, the RRSIG covering the DNSKEY record has expired. The DNSKEY
record is available at the authoritative NS (sima), but ask anyone else and we
get back SERVFAIL. I'm not claiming either answer is wrong, just that the
entire domain is inaccessible until a new RRSIG is generated for the DNSKEY.
What's the mechanism for resigning a DNSKEY key record?
$ dig +dnssec @sima.ns.cloudflare.com agrilinks.org DNSKEY
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;agrilinks.org. IN DNSKEY
;; ANSWER SECTION:
agrilinks.org. 3600 IN DNSKEY 257 3 13
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+
KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
agrilinks.org. 3600 IN DNSKEY 256 3 13
oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8
KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
agrilinks.org. 3600 IN RRSIG DNSKEY 13 2 3600 20201024231704
20200825231704 2371 agrilinks.org.
e1Gd3UjvzbN2HWnNrRgzHoeoGEg6+swFF3JKwoF1cTJrda/O2O9J8KbP
SBJuWa6T7XjFXs+bXGipIJROwxr3Sw==
$ dig +dnssec @1.1.1.1 agrilinks.org DNSKEY
; <<>> DiG 9.10.6 <<>> +dnssec @1.1.1.1 agrilinks.org DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; OPT=15: 00 06 ("..")
;; QUESTION SECTION:
;agrilinks.org. IN DNSKEY
Thanks,
jf
--
John Franklin
[email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
