.biz DNSSEC borked

Franck Martin fmartin at linkedin.com
Mon Jun 24 02:50:32 UTC 2013


On Jun 23, 2013, at 4:49 PM, Valdis.Kletnieks at vt.edu wrote:

> On Sat, 22 Jun 2013 20:45:44 +0200, Andre Tomt said:
>> Seems the entire .biz tld is failing DNSSEC validation now.
>> All of my DNSSEC validating resolvers are tossing all domains in .biz.
>> The non-signed domains too of course because trust of the tld itself
>> cannot be established.
>> 
>> http://dnssec-debugger.verisignlabs.com/nic.biz
> 
> So which event caused more disruption?  50K .com's in a failed DDoS
> mitigation, or every single .biz lookup by something that actually does
> dnssec?
> 
I don't think we are trying to quantify which one was worst or point fingers at, but how do we remediate these type of issues in the future? I think these events will happen more and more often...

a TTL of 2 days seems rather long for NS and do I see 6 days TTL for DNSSEC records for .biz ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130624/a6f01b90/attachment.sig>


More information about the NANOG mailing list