It appears that the bluewin DNS caches are using an old key for verifying DNSSEC for the zone switch.ch, as can be seen by using the "cd" option of dig
; <<>> DiG 9.6.1-P1 <<>> @dns1.bluewin.ch. switch.ch. soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 605 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;switch.ch. IN SOA
;; Query time: 40 msec ;; SERVER: 195.186.1.110#53(195.186.1.110) ;; WHEN: Mon Aug 3 14:17:55 2009 ;; MSG SIZE rcvd: 27
; <<>> DiG 9.6.1-P1 <<>> @dns1.bluewin.ch. switch.ch. soa +cd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 865 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;switch.ch. IN SOA
;; ANSWER SECTION: switch.ch. 86400 IN SOA scsnms.switch.ch. hostmaster.switch.ch. 2009080301 28800 7200 604800 180
;; Query time: 4 msec ;; SERVER: 195.186.1.110#53(195.186.1.110) ;; WHEN: Mon Aug 3 14:17:56 2009 ;; MSG SIZE rcvd: 81
I sent mail to hostmaster@bluewin.ch but I'm not sure whether that gets the proper attention. This is a serious issue for us.
To everybody: PLEASE don't configure DNSSEC trust anchors from untrusted sources (heck, that's why they are called trust anchors). That defeats the purpose of it and chances are that you will miss key-rollovers.
BTW, is the #swinog IRC channel still alive somewhere after irc.swinog.ch went away?
hi alexander
... I sent mail to hostmaster@bluewin.ch but I'm not sure whether that gets the proper attention. This is a serious issue for us. ...
thanks, i've forwarded the mail to the DNS guys from bluewin ,-)
BTW, is the #swinog IRC channel still alive somewhere after irc.swinog.ch went away?
actually, irc.swinog.ch is still alive - if you're peering over swissix or get the swissix prefix. if you're outside of the 'swissix-network' you can can use: - irc.swissix.ch:6667 (within swissix peers) - irc.subcult.ch:6667 - irc.nazgul.ch:6667 - irc.bytemine.net:6667
-steven
On Mon, 3 Aug 2009 14:37:03 +0200, Steven.Glogger@swisscom.com said:
hi alexander
... I sent mail to hostmaster@bluewin.ch but I'm not sure whether that gets the proper attention. This is a serious issue for us. ...
thanks, i've forwarded the mail to the DNS guys from bluewin ,-)
Thanks.
BTW, is the #swinog IRC channel still alive somewhere after irc.swinog.ch went away?
actually, irc.swinog.ch is still alive - if you're peering over swissix or get the swissix prefix. if you're outside of the 'swissix-network' you can can use:
- irc.swissix.ch:6667 (within swissix peers)
Cool, it only works over IPv6. Uncool: pidgin doesn't do IPv6.
- irc.subcult.ch:6667
This one works for me.
- irc.nazgul.ch:6667
- irc.bytemine.net:6667
-steven
Thanks, Alex
-
Alexander Gall -
Steven.Glogger@swisscom.com