Greetings, we’ve migrated the DNS zone for mailop.org to other nameservers. These are located in two different TLDs and in two different computing centers. This should prevent the cause we ran in with the NSes formerly in place. It will take a while until the news has spread, but the issue should be resolved if you see this in your output:
# dig +dnssec +short NS mailop.org nsx02.sys4.farm. nsx01.sys4.de. NS 13 2 600 20240823114232 20240724104232 12161 mailop.org. XEBJvB9zDngoFACbDZMdKVIRxa1yRSJbu3v/1JedjfNK+fGtYEIIwux7 BrNT2Fpv664RO6IHBEFZFOzdhL3+ug== The ‚ad‘ flag in the following output flags section indicates ‚authenticated data‘ proving DNSSEC works: ; <<>> DiG 9.10.6 <<>> +dnssec MX mailop.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1546 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;mailop.org. IN MX ;; ANSWER SECTION: mailop.org. 290 IN MX 5 mx.mailop.org. mailop.org. 290 IN RRSIG MX 13 2 300 20240823010723 20240724005945 12161 mailop.org. DTSdBekHXfLRPG8VhlaWtldQhRhp2Fb6y8v2I73ePuiTv04MIr7kSmS6 L/GvYSQvlcrgvuKm0YfqijVrYgXCtQ== ;; Query time: 42 msec ;; SERVER: 2001:a61:126c:fe80:de58:bcff:fee0:285a#53(2001:a61:126c:fe80:de58:bcff:fee0:285a) ;; WHEN: Wed Jul 24 15:43:53 CEST 2024 ;; MSG SIZE rcvd: 164 Regards, Patrick > Am 24.07.2024 um 12:55 schrieb Patrick Ben Koetter via mailop > <mailop@mailop.org>: > > Greetings. > > >> Am 24.07.2024 um 11:50 schrieb Serhii via mailop <mailop@mailop.org >> <mailto:mailop@mailop.org>>: >> >> Hello, >> >> I have started a migration to a new MX recently and I have discovered that >> new MX rejects mx.mailop.org <http://mx.mailop.org/> early due to DNS >> failure. As I can see now, it is related to DNSSEC problems (at a new >> machine, I have DNSSEC restricted from downgrading). I have checked if it is >> my resolver being faulty but no, I am able to replicate this problem using >> Cloudflare DoH: > > > it’s an operational problem at the public nameservers, ns1.dnssec.works and > ns2.dnssec.works, end. They don’t pick up the new RRSIG signature from the > hidden primary and their own DNS zone seems to be broken. The log on > mailop.org <http://mailop.org/>’s primary end tells it notifies the machines, > but then no AXFR takes place. Firewall settings allow communication. > Everything from the hidden primaries' side says it SHOULD work, but as > reality has it it doesn’t. > > Unfortunately I can’t notify the person running the two nameservers at the > moment, as he is offline until Sunday. I’ll drop him a message, but that’s > all I can do for now. > > I will check other options in the meantime. > > Patrick > > > >> >>> $ curl --silent --http2 --header "accept: application/dns-json" >>> "https://1.1.1.1/dns-query?name=mx.mailop.org"; | jq . >>> { >>> "Status": 2, >>> "TC": false, >>> "RD": true, >>> "RA": true, >>> "AD": false, >>> "CD": false, >>> "Question": [ >>> { >>> "name": "mx.mailop.org", >>> "type": 1 >>> } >>> ], >>> "Comment": [ >>> "EDE(7): Signature Expired for DNSKEY dnssec.works., id = 41779: RRSIG >>> dnssec.works., expiration = 1721570770", >>> "EDE(18): Prohibited" >>> ] >>> } >> >> >> >> -- >> Send unsolicited bulk mail to carl...@at.encryp.ch >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop > > [*] sys4 AG > > http://sys4.de <http://sys4.de/>, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG, 80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > > _______________________________________________ > mailop mailing list > mailop@mailop.org <mailto:mailop@mailop.org> > https://list.mailop.org/listinfo/mailop [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
