As mentioned on Swinog IRC (yes we are alive there, join us! :):
admin.ch is unreachable due to broken DNSSEC.
See:
https://dnsviz.net/d/admin.ch/dnssec/
8<----
ch to admin.ch: No valid RRSIGs made by a key corresponding to a DS RR
were found covering the DNSKEY RRset, resulting in no secure entry point
(SEP) into the zone. (162.23.37.16, 162.23.37.160, 212.103.72.85,
2a00:c38:2:28:0:ffff:d467:4855, UDP_-_EDNS0_4096_D_K)
ch to admin.ch: The DS RRset for the zone included algorithm 8
(RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs
the zone's DNSKEY RRset. (162.23.37.16, 162.23.37.160, 212.103.72.85,
2a00:c38:2:28:0:ffff:d467:4855, UDP_-_EDNS0_4096_D_K)
------>8
(I got a screencap of the page for later, just in case it get
fixed/changed in the meantime; swinog only allows 40KiB attachments
which would ruin the res too much for it to be useful :)
Thus for all ISPs on this list: tell your customers that it is an
admin.ch issue, not something you can solve (unless you disable dnssec
validation for admin.ch, which is an option, but kinda against dnssec).
(Fortunately it is not tax time or something like that)
For folks working at admin.ch: I offer myself pro bono to help out
resolving the issue, don't hesitate to reach out (email or contact
details on my homepage).
We can then replicate a stable environment as described in:
https://jeroen.massar.ch/presentations/vid/SwiNOG35-Managing_sleep_with_a_resilient_infrastructure/
or otherwise likely improve the situation to avoid such outages.
Good luck folks at admin.ch in resolving this..
Greets,
Jeroen
_______________________________________________
swinog mailing list
[email protected]
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
