On Thu, Oct 11, 2018, at 10:53 AM, Jim Reid wrote:
> Although switching off DNSSEC validation will keep the mail flowing, it
> only kludges around the underlying problem. Which might or might not be
> related to the rollover of the root KSK a few hours ago. It’s hard to
> tell from the information you’ve provided. That said, you do appear to
> have a DNS server misconfiguration which is causing DNSSEC validation to
> fail. Clearly it would be wise to fix that before turning DNSSEC
> validation on again.
>
> The switch to the new KSK seems the most likely cause, assuming DNSSEC
> validation always worked for you before then.
It's been 'working' for ages. Yes, I could have been 'just lucky for a long
time'. Bears looking at certainly.
> > Is 'ready' simply .... 'wait awhile’ ?
>
> Maybe, maybe not. It depends on what is broken in your DNSSEC setup. If
> you’ve hard-wired the now dead root KSK, waiting a while won’t help.
> That key will still be dead when you re-enable DNSSEC validation. No
> matter how long or short you wait.
>
> Consult ICANN’s web pages on the root KSK rollover. They have info on
> how to check that DNS configurations handle the KSK rollover properly
> and how to troubleshoot them when they don’t.
Isn't 'hardwired' here afaict. Looking at the ICANN site -- again -- is
probably best advice.
Thx!
