[Pdns-users] DNSSEC-Problems on g.root-servers.net?

Christian Renner christian.renner at iway.ch
Mon Sep 17 08:39:38 UTC 2018


Hi

Since about 20 hours we see many dnssec validation errors on all of our pdns recursors.
A few recent examples:

Sep 17 10:12:37 ac-rns2 pdns_recursor[24059]: Answer to onba.zkb.ch|A for 178.22.104.86:36796 validates as Bogus
Sep 17 10:12:25 ac-rns2 pdns_recursor[24059]: Answer to cdn.migros.ch|A for 185.104.84.182:34036 validates as Bogus
Sep 17 10:12:48 ac-rns1 pdns_recursor[111558]: Answer to smtp.phys.ethz.ch|A for 83.150.57.154:52291 validates as Bogus
Sep 17 10:12:37 ac-rns1 pdns_recursor[111558]: Answer to www.admin.ch|A for 212.25.2.169:59487 validates as Bogus

Anyone else with the same issues?


DNSViz always shows the same behaviour:

http://dnsviz.net/d/onba.zkb.ch/dnssec/
http://dnsviz.net/d/www.admin.ch/dnssec/

Errors (3)
	• ./DNSKEY: No response was received from the server over UDP (tried 4 times). (2001:500:12::d0d, UDP_0_EDNS0_32768_512)
	• NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the SNAME (admin.ch).
	• NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the SNAME (admin.ch).


2001:500:12::d0d is g.root-servers.net

Regards
Christian


More information about the Pdns-users mailing list