Re: [mailop] DNSSEC broken for mailop.org

Wed, 24 Jul 2024 04:01:08 -0700 

Greetings.


> Am 24.07.2024 um 11:50 schrieb Serhii via mailop <mailop@mailop.org>:
> 
> Hello,
> 
> I have started a migration to a new MX recently and I have discovered that 
> new MX rejects mx.mailop.org early due to DNS failure. As I can see now, it 
> is related to DNSSEC problems (at a new machine, I have DNSSEC restricted 
> from downgrading). I have checked if it is my resolver being faulty but no, I 
> am able to replicate this problem using Cloudflare DoH:


it’s an operational problem at the public nameservers, ns1.dnssec.works and 
ns2.dnssec.works, end. They don’t pick up the new RRSIG signature from the 
hidden primary and their own DNS zone seems to be broken. The log on 
mailop.org’s primary end tells it notifies the machines, but then no AXFR takes 
place. Firewall settings allow communication. Everything from the hidden 
primaries' side says it SHOULD work, but as reality has it it doesn’t.

Unfortunately I can’t notify the person running the two nameservers at the 
moment, as he is offline until Sunday. I’ll drop him a message, but that’s all 
I can do for now.
 
I will check other options in the meantime.

Patrick



> 
>> $ curl --silent --http2 --header "accept: application/dns-json" 
>> "https://1.1.1.1/dns-query?name=mx.mailop.org"; | jq .
>> {
>>  "Status": 2,
>>  "TC": false,
>>  "RD": true,
>>  "RA": true,
>>  "AD": false,
>>  "CD": false,
>>  "Question": [
>>    {
>>      "name": "mx.mailop.org",
>>      "type": 1
>>    }
>>  ],
>>  "Comment": [
>>    "EDE(7): Signature Expired for DNSKEY dnssec.works., id = 41779: RRSIG 
>> dnssec.works., expiration = 1721570770",
>>    "EDE(18): Prohibited"
>>  ]
>> }
> 
> 
> 
> -- 
> Send unsolicited bulk mail to carl...@at.encryp.ch
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to