Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation

Chronological Thread  
  • From: Jeff Taylor <shdwdrgn AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation
  • Date: Tue, 25 Jul 2023 17:39:16 -0600
  • Authentication-results:; dmarc=none
  • Dmarc-filter: OpenDMARC Filter v1.3.0 CDA4D2D388

We've been talking about this in the chat as well.  There are a large number of T2 servers which appear to no longer be resolving many country TLDs, and so far the common theme is that none of the failing servers are working with dnssec.

I'm afraid I don't have any answers as to WHY those servers are failing, but since a number of T2 servers do still resolve those country TLDs correctly, and they also resolve dnssec records as expected, I don't believe the problem is with the opennic root zone.

My concern as that it might have something to do with all the people who have set up T2 servers which don't actually resolve queries, but simply pass them on to a T1 or another server to perform lookups.  I know there was a period where a lot of folks were setting up powerDNS servers which were unable to do anything but act as a hints server (thus passing off all the lookup functions to T1 servers), I'm not sure if that software has finally evolved to be a real DNS server of not, but it would certainly be interesting to know what software is being run on all the failing servers.  I know at least a couple of the *working* servers that I've checked are running bind9, but it's also possible that a recent update of one of the popular DNS packages has introduced a bug.

We'll try to keep folks updated in the chat, and a bit less frequently here in the mailing list, but so far we don't have any solid answers.

On 7/24/23 23:12, BebasID Management Team wrote:

Good afternoon,

We have a problem for implementing DNSSEC on bebasid's DNS Server.

Today, many clients of ours are complaining about our DNS server so we decided to investigate what's going on.

When I checked the log, it seems that there's an issue with the DNSSEC itself so we tried to update the DNSSEC key at first but it still returning SERVFAIL and the error on the log still return the same which caused non-OpenNIC domain to not able to be resolved.

I already followed tutorial on by copying latest DNSSEC key from the dig result. 

So for temporary until this issue is fixed, We changed the root server to default one provided by ICANN while forwarding every OpenNIC domain to Tier 1 server with forwarder so user can still access OpenNIC domain.

Can you help me please?

Thank you,

Aldi from BebasID


Official Email by BebasID™ Management Team

Official Website | GitHub | Discord | Saweria | Trakteer

BebasID™ and its affiliate are the part of KINI (Komunitas Internet Netral Indonesia) which is a community and non-profit organization focused on net neutrality for every user in Indonesia

You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT

PNG image

Archive powered by MHonArc 2.6.24.

Top of Page