[Pdns-users] cryptokeys.id out of sync

James Cloos cloos at jhcloos.com
Tue Aug 6 17:16:06 UTC 2013

>>>>> "PvD" == Peter van Dijk <peter.van.dijk at netherlabs.nl> writes:

>> I presume that the unsynced .id is enough to confuse verifiers?

PvD> Verifiers don't see the .id, so that can't be it. Can you post the
PvD> name of a failing zone and point us to the working and failing auths?

After I posted that, I decided to test using nsd via axfr on the
secondaries, so the disagreeing instances are not in service.

But for a test I just started one of them on port 54.  Compare the
servers:  ore.jhcloos.com:53 vs liberty.jhcloos.com:54 with zones

Both http://dnssec-debugger.verisignlabs.com/${ZONE} and
http://dnsviz.net/d/${ZONE}/dnssec/ were complaining about
verification until I switched back to axfr.

James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

More information about the Pdns-users mailing list