discuss AT lists.opennicproject.org
Subject: Discuss mailing list
Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation
- Date: Tue, 25 Jul 2023 17:39:16 -0600
- Authentication-results: mx2.computerrehab.us; dmarc=none header.from=sourpuss.net
- Dmarc-filter: OpenDMARC Filter v1.3.0 mx2.computerrehab.us CDA4D2D388
We've been talking about this in the chat as well. There are a large number of T2 servers which appear to no longer be resolving many country TLDs, and so far the common theme is that none of the failing servers are working with dnssec.
I'm afraid I don't have any answers as to WHY those servers are failing, but since a number of T2 servers do still resolve those country TLDs correctly, and they also resolve dnssec records as expected, I don't believe the problem is with the opennic root zone.
My concern as that it might have something to do with all the people who have set up T2 servers which don't actually resolve queries, but simply pass them on to a T1 or another server to perform lookups. I know there was a period where a lot of folks were setting up powerDNS servers which were unable to do anything but act as a hints server (thus passing off all the lookup functions to T1 servers), I'm not sure if that software has finally evolved to be a real DNS server of not, but it would certainly be interesting to know what software is being run on all the failing servers. I know at least a couple of the *working* servers that I've checked are running bind9, but it's also possible that a recent update of one of the popular DNS packages has introduced a bug.
We'll try to keep folks updated in the chat, and a bit less frequently here in the mailing list, but so far we don't have any solid answers.
We have a problem for implementing DNSSEC on bebasid's DNS Server.
Today, many clients of ours are complaining about our DNS server so we decided to investigate what's going on.
When I checked the log, it seems that there's an issue with the DNSSEC itself so we tried to update the DNSSEC key at first but it still returning SERVFAIL and the error on the log still return the same which caused non-OpenNIC domain to not able to be resolved.
I already followed tutorial on https://wiki.opennic.org/opennic/dnssec by copying latest DNSSEC key from the dig result.
So for temporary until this issue is fixed, We changed the root server to default one provided by ICANN while forwarding every OpenNIC domain to Tier 1 server with forwarder so user can still access OpenNIC domain.
Can you help me please?
Aldi from BebasID
Official Email by BebasID™ Management Team
Official Website | GitHub | Discord | Saweria | Trakteer
BebasID™ and its affiliate are the part of KINI (Komunitas Internet Netral Indonesia) which is a community and non-profit organization focused on net neutrality for every user in Indonesia
-------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
[opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation,
BebasID Management Team, 07/25/2023
Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation,
Jeff Taylor, 07/26/2023
- Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation, Erich Eckner, 07/26/2023
- Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation, Jeff Taylor, 07/26/2023
Archive powered by MHonArc 2.6.24.