Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation

Chronological Thread  
  • From: Erich Eckner <opennic AT>
  • To: "discuss AT" <discuss AT>
  • Subject: Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation
  • Date: Wed, 26 Jul 2023 10:05:31 +0200 (CEST)
  • Author: Erich Eckner <opennic AT>
  • Original-subject: Re: [opennic-discuss] Discuss mailing list: Problem with DNSSEC implementation


I have no hard evidence, either, but:

My local (non-public) resolver (which is set up similarly to most T2 resolvers) running bind9 was recently failing to resolve a lot of domains due to DNSSEC. Looking into the issue, I found, that the system clock was off by about an hour, which apparently made a lot of certificates to be rejected due to "not yet being valid".

Maybe the lifetime of a lot (or a few important) DNSSEC certificates was recently drastically reduced, and those broken T2 resolvers now suddenly exhibit the same issue?


On Tue, 25 Jul 2023, Jeff Taylor wrote:

We've been talking about this in the chat as well.  There are a large number of T2 servers which appear to no longer be resolving many country TLDs, and so far the common theme is that none of the failing servers are working with dnssec.

I'm afraid I don't have any answers as to WHY those servers are failing, but since a number of T2 servers do still resolve those country TLDs correctly, and they also resolve dnssec records as expected, I don't believe the problem is with the opennic root zone.

My concern as that it might have something to do with all the people who have set up T2 servers which don't actually resolve queries, but simply pass them on to a T1 or another server to perform lookups.  I know there was a period where a lot of folks were setting up powerDNS servers which were unable to do anything but act as a hints server (thus passing off all the lookup functions to T1 servers), I'm not sure if that software has finally evolved to be a real DNS server of not, but it would certainly be interesting to know what software is being run on all the failing servers.  I know at least a couple of the *working* servers that I've checked are running bind9, but it's also possible that a recent update of one of the popular DNS packages has introduced a bug.

We'll try to keep folks updated in the chat, and a bit less frequently here in the mailing list, but so far we don't have any solid answers.

On 7/24/23 23:12, BebasID Management Team wrote:

*Good afternoon,*

We have a problem for implementing DNSSEC on bebasid's DNS Server.

Today, many clients of ours are complaining about our DNS server so we decided to investigate what's going on.

When I checked the log, it seems that there's an issue with the DNSSEC itself so we tried to update the DNSSEC key at first but it still returning SERVFAIL and the error on the log still return the same which caused non-OpenNIC domain to not able to be resolved.

I already followed tutorial on by copying latest DNSSEC key from the dig result.

So for temporary until this issue is fixed, We changed the root server to default one provided by ICANN while forwarding every OpenNIC domain to Tier 1 server with forwarder so user can still access OpenNIC domain.

Can you help me please?

*Thank you,*

*Aldi from BebasID*



*Official Email by BebasID™ Management Team*

*Official Website <> | GitHub <> | Discord <> | Saweria <> | Trakteer <>*

*BebasID™ and its a**ffiliate are the part of KINI (Komunitas Internet Netral Indonesia) which is a community and non-profit organization focused on net neutrality for every user in Indonesia*

You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailingdiscuss-unsubscribe AT

Archive powered by MHonArc 2.6.24.

Top of Page