Discuss mailing list

[Erich Eckner <opennic AT eckner.net>]

Hi,

I have no hard evidence, either, but:

My local (non-public) resolver (which is set up similarly to most T2 
resolvers) running bind9 was recently failing to resolve a lot of domains 
due to DNSSEC. Looking into the issue, I found, that the system clock was 
off by about an hour, which apparently made a lot of certificates to be 
rejected due to "not yet being valid".

Maybe the lifetime of a lot (or a few important) DNSSEC certificates was 
recently drastically reduced, and those broken T2 resolvers now suddenly 
exhibit the same issue?

regards,
Erich

On Tue, 25 Jul 2023, Jeff Taylor wrote:

> We've been talking about this in the chat as well.  There are a large number 
> of T2 servers which appear to no longer be resolving many country TLDs, and 
> so far the common theme is that none of the failing servers are working with 
> dnssec.
>
> I'm afraid I don't have any answers as to WHY those servers are failing, but 
> since a number of T2 servers do still resolve those country TLDs correctly, 
> and they also resolve dnssec records as expected, I don't believe the problem 
> is with the opennic root zone.
>
> My concern as that it might have something to do with all the people who have 
> set up T2 servers which don't actually resolve queries, but simply pass them 
> on to a T1 or another server to perform lookups.  I know there was a period 
> where a lot of folks were setting up powerDNS servers which were unable to do 
> anything but act as a hints server (thus passing off all the lookup functions 
> to T1 servers), I'm not sure if that software has finally evolved to be a 
> real DNS server of not, but it would certainly be interesting to know what 
> software is being run on all the failing servers.  I know at least a couple 
> of the *working* servers that I've checked are running bind9, but it's also 
> possible that a recent update of one of the popular DNS packages has 
> introduced a bug.
>
> We'll try to keep folks updated in the chat, and a bit less frequently here 
> in the mailing list, but so far we don't have any solid answers.
>
>
> On 7/24/23 23:12, BebasID Management Team wrote:
> > *Good afternoon,*
> >
> > We have a problem for implementing DNSSEC on bebasid's DNS Server.
> >
> > Today, many clients of ours are complaining about our DNS server so we 
> > decided to investigate what's going on.
> >
> > When I checked the log, it seems that there's an issue with the DNSSEC 
> > itself so we tried to update the DNSSEC key at first but it still returning 
> > SERVFAIL and the error on the log still return the same which caused 
> > non-OpenNIC domain to not able to be resolved.
> >
> > I already followed tutorial on https://wiki.opennic.org/opennic/dnssec by 
> > copying latest DNSSEC key from the dig result.
> >
> > So for temporary until this issue is fixed, We changed the root server to 
> > default one provided by ICANN while forwarding every OpenNIC domain to Tier 
> > 1 server with forwarder so user can still access OpenNIC domain.
> >
> > Can you help me please?
> >
> > *Thank you,*
> >
> > *Aldi from BebasID*
> >
> > --
> > ------------------------------------------------------------------------
> >
> > **
> >
> > *Official Email by BebasID™ Management Team*
> >
> > *Official Website <https://bebasid.com> | GitHub 
> > <https://github.com/bebasid> | Discord <https://discord.gg/EKrxZyu> | 
> > Saweria <https://saweria.co/bebasid> | Trakteer 
> > <https://trakteer.id/bebasidbykini>*
> >
> > *BebasID™ and its a**ffiliate are the part of KINI (Komunitas Internet 
> > Netral Indonesia) which is a community and non-profit organization focused 
> > on net neutrality for every user in Indonesia*
> >
> >
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailingdiscuss-unsubscribe AT lists.opennicproject.org