[Dnssec-deployment] Expired RRSIGs for .be

Stephane Bortzmeyer bortzmeyer at nic.fr
Sat Oct 9 12:58:10 EDT 2010


On Sat, Oct 09, 2010 at 04:42:37PM +0000,
 Dan Mahoney <dmahoney at isc.org> wrote 
 a message of 37 lines which said:

> There's also something to be said for having valid contact into in
> your SOA record.  And actually checking it.  And setting a whitelist
> for DNS|ZONE|SIG|EXPIR|PROBLEM|ISSUE for that address in your spam
> system of choice.

I assume/hope that every zone operator worth of the name already does
it. But the point was "How to tell DNS operators that their DNS zone
no longer works?" I cannot use the address in the SOA of isc.org is
the DNSSEC signatures of isc.org expire... (Even if the SOA was cached
before, the address in it depends on a working isc.org domain.)


More information about the Dnssec-deployment mailing list