DNSSEC

From BitFolk
Jump to navigation Jump to search

This article describes the implementation of DNSSEC as it relates to BitFolk and its customers.

What

"The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality."

DNSSEC at Wikipedia

Implementation at BitFolk

There's several different places where DNSSEC can be implemented:

  • BitFolk's DNS resolvers
The things you have configured in your /etc/resolv.conf
  • BitFolk's domains
i.e., bitfolk.com and bitfolk.co.uk
  • Your domains

Your domains

Easy one out of the way first.. there's nothing BitFolk needs to do in order to support DNSSEC records in your domains.

If you want to enable DNSSEC on your domains you should go ahead and do that; BitFolk's secondary DNS servers will serve those records without issue.

Clients will of course still need to use a validating resolver in order to gain any benefit from you having enabled DNSSEC.

BitFolk's domains

We'll start looking into enabling DNSSEC for bitfolk.com and bitfolk.co.uk once BitFolk's resolvers have DNSSEC support.

Aside from the obvious benefits of protecting against mangling of our DNS data, supporting DNSSEC in bitfolk.com will allow us to publish SSHFP and DANE records. SSHFP particularly will help customers to trust that they really are connecting to a BitFolk host the first time they need to connect to their console. At the moment that is somewhat awkward.

BitFolk's DNS resolvers

Enabling DNSSEC validation on BitFolk's resolvers is quite a big deal, because almost every customer users those resolvers for all their traffic, and it is expected that enabling validation will cause some degree of breakage – there will be a non-zero number of domains that have enabled DNSSEC incorrectly thus making themselves unresolvable by a validating resolver. We therefore have to plan this quite carefully.

26th March 2013: Initial consultation

An initial consultation was posted to the users mailing list to decide how best to handle this.

27th March 2013: Test resolver made available

A test resolver with DNSSEC validation enabled was made available on 85.119.80.243. You can either put all your traffic through it by replacing all IPs in your /etc/resolv.conf with this IP address, or else you can test specific queries against this resolver:

dig -t a www.dnssec-failed.org @85.119.80.243
dig -t txt test.dnssec-or-not.net @85.119.80.243

29th March 2013: Plan announced

The schedule for enabling DNSSEC was posted to the announce mailing list.

30th March 2013: Permissive mode enabled

DNSSEC validation in permissive mode was enabled on BitFolk's production resolvers. This performs validation but in the event of a validation failure merely logs the problem and still returns the answer as normal. It will allow us to gauge the impact of enabling validation for real.

6th April 2013: Analysis of validation logs

An analysis of DNSSEC validation failures in the logs from 30th March onwards:

DNSSEC validation failures
Domain QTYPE Last failure time DNSSEC Debugger DNSViz
177.in-addr.arpa. NS Mon Apr 1 12:10:07 2013 http://dnssec-debugger.verisignlabs.com/177.in-addr.arpa http://dnsviz.net/d/177.in-addr.arpa/dnssec/
56.215.0.177.in-addr.arpa. PTR Mon Apr 1 13:33:44 2013 http://dnssec-debugger.verisignlabs.com/56.215.0.177.in-addr.arpa http://dnsviz.net/d/56.215.0.177.in-addr.arpa/dnssec/
29.97.0.177.in-addr.arpa. PTR Mon Apr 1 11:45:35 2013 http://dnssec-debugger.verisignlabs.com/29.97.0.177.in-addr.arpa http://dnsviz.net/d/29.97.0.177.in-addr.arpa/dnssec/
67.222.1.177.in-addr.arpa. PTR Mon Apr 1 11:57:38 2013 http://dnssec-debugger.verisignlabs.com/67.222.1.177.in-addr.arpa http://dnsviz.net/d/67.222.1.177.in-addr.arpa/dnssec/
44.225.100.177.in-addr.arpa. PTR Sun Mar 31 21:55:56 2013 http://dnssec-debugger.verisignlabs.com/44.225.100.177.in-addr.arpa http://dnsviz.net/d/44.225.100.177.in-addr.arpa/dnssec/
51.233.100.177.in-addr.arpa. PTR Mon Apr 1 15:08:09 2013 http://dnssec-debugger.verisignlabs.com/51.233.100.177.in-addr.arpa http://dnsviz.net/d/51.233.100.177.in-addr.arpa/dnssec/
59.251.100.177.in-addr.arpa. PTR Mon Apr 1 02:02:38 2013 http://dnssec-debugger.verisignlabs.com/59.251.100.177.in-addr.arpa http://dnsviz.net/d/59.251.100.177.in-addr.arpa/dnssec/
115.202.103.177.in-addr.arpa. PTR Mon Apr 1 11:54:36 2013 http://dnssec-debugger.verisignlabs.com/115.202.103.177.in-addr.arpa http://dnsviz.net/d/115.202.103.177.in-addr.arpa/dnssec/
160.143.12.177.in-addr.arpa. PTR Mon Apr 1 12:03:34 2013 http://dnssec-debugger.verisignlabs.com/160.143.12.177.in-addr.arpa http://dnsviz.net/d/160.143.12.177.in-addr.arpa/dnssec/
158.177.12.177.in-addr.arpa. PTR Mon Apr 1 13:27:28 2013 http://dnssec-debugger.verisignlabs.com/158.177.12.177.in-addr.arpa http://dnsviz.net/d/158.177.12.177.in-addr.arpa/dnssec/
90.220.124.177.in-addr.arpa. PTR Mon Apr 1 00:27:05 2013 http://dnssec-debugger.verisignlabs.com/90.220.124.177.in-addr.arpa http://dnsviz.net/d/90.220.124.177.in-addr.arpa/dnssec/
71.18.125.177.in-addr.arpa. PTR Sun Mar 31 20:30:26 2013 http://dnssec-debugger.verisignlabs.com/71.18.125.177.in-addr.arpa http://dnsviz.net/d/71.18.125.177.in-addr.arpa/dnssec/
187.131.130.177.in-addr.arpa. PTR Mon Apr 1 14:36:31 2013 http://dnssec-debugger.verisignlabs.com/187.131.130.177.in-addr.arpa http://dnsviz.net/d/187.131.130.177.in-addr.arpa/dnssec/
26.243.131.177.in-addr.arpa. PTR Sun Mar 31 23:07:26 2013 http://dnssec-debugger.verisignlabs.com/26.243.131.177.in-addr.arpa http://dnsviz.net/d/26.243.131.177.in-addr.arpa/dnssec/
19.20.132.177.in-addr.arpa. PTR Sun Mar 31 23:10:20 2013 http://dnssec-debugger.verisignlabs.com/19.20.132.177.in-addr.arpa http://dnsviz.net/d/19.20.132.177.in-addr.arpa/dnssec/
46.226.139.177.in-addr.arpa. PTR Mon Apr 1 11:10:50 2013 http://dnssec-debugger.verisignlabs.com/46.226.139.177.in-addr.arpa http://dnsviz.net/d/46.226.139.177.in-addr.arpa/dnssec/
140.242.139.177.in-addr.arpa. PTR Mon Apr 1 11:53:29 2013 http://dnssec-debugger.verisignlabs.com/140.242.139.177.in-addr.arpa http://dnsviz.net/d/140.242.139.177.in-addr.arpa/dnssec/
40.45.154.177.in-addr.arpa. PTR Sun Mar 31 23:00:09 2013 http://dnssec-debugger.verisignlabs.com/40.45.154.177.in-addr.arpa http://dnsviz.net/d/40.45.154.177.in-addr.arpa/dnssec/
230.40.156.177.in-addr.arpa. PTR Sun Mar 31 22:17:27 2013 http://dnssec-debugger.verisignlabs.com/230.40.156.177.in-addr.arpa http://dnsviz.net/d/230.40.156.177.in-addr.arpa/dnssec/
7.222.157.177.in-addr.arpa. PTR Mon Apr 1 14:37:17 2013 http://dnssec-debugger.verisignlabs.com/7.222.157.177.in-addr.arpa http://dnsviz.net/d/7.222.157.177.in-addr.arpa/dnssec/
153.192.177.177.in-addr.arpa. PTR Sun Mar 31 21:06:11 2013 http://dnssec-debugger.verisignlabs.com/153.192.177.177.in-addr.arpa http://dnsviz.net/d/153.192.177.177.in-addr.arpa/dnssec/
130.242.177.177.in-addr.arpa. PTR Sun Mar 31 21:14:46 2013 http://dnssec-debugger.verisignlabs.com/130.242.177.177.in-addr.arpa http://dnsviz.net/d/130.242.177.177.in-addr.arpa/dnssec/
154.132.19.177.in-addr.arpa. PTR Mon Apr 1 05:20:22 2013 http://dnssec-debugger.verisignlabs.com/154.132.19.177.in-addr.arpa http://dnsviz.net/d/154.132.19.177.in-addr.arpa/dnssec/
80.187.194.177.in-addr.arpa. PTR Mon Apr 1 11:51:34 2013 http://dnssec-debugger.verisignlabs.com/80.187.194.177.in-addr.arpa http://dnsviz.net/d/80.187.194.177.in-addr.arpa/dnssec/
251.239.195.177.in-addr.arpa. PTR Mon Apr 1 14:30:21 2013 http://dnssec-debugger.verisignlabs.com/251.239.195.177.in-addr.arpa http://dnsviz.net/d/251.239.195.177.in-addr.arpa/dnssec/
5.246.20.177.in-addr.arpa. PTR Mon Apr 1 10:13:46 2013 http://dnssec-debugger.verisignlabs.com/5.246.20.177.in-addr.arpa http://dnsviz.net/d/5.246.20.177.in-addr.arpa/dnssec/
157.45.202.177.in-addr.arpa. PTR Mon Apr 1 11:08:34 2013 http://dnssec-debugger.verisignlabs.com/157.45.202.177.in-addr.arpa http://dnsviz.net/d/157.45.202.177.in-addr.arpa/dnssec/
40.20.203.177.in-addr.arpa. PTR Mon Apr 1 11:49:15 2013 http://dnssec-debugger.verisignlabs.com/40.20.203.177.in-addr.arpa http://dnsviz.net/d/40.20.203.177.in-addr.arpa/dnssec/
42.147.21.177.in-addr.arpa. PTR Mon Apr 1 15:01:09 2013 http://dnssec-debugger.verisignlabs.com/42.147.21.177.in-addr.arpa http://dnsviz.net/d/42.147.21.177.in-addr.arpa/dnssec/
2.229.21.177.in-addr.arpa. PTR Mon Apr 1 15:04:17 2013 http://dnssec-debugger.verisignlabs.com/2.229.21.177.in-addr.arpa http://dnsviz.net/d/2.229.21.177.in-addr.arpa/dnssec/
132.16.224.177.in-addr.arpa. PTR Mon Apr 1 05:34:29 2013 http://dnssec-debugger.verisignlabs.com/132.16.224.177.in-addr.arpa http://dnsviz.net/d/132.16.224.177.in-addr.arpa/dnssec/
196.25.224.177.in-addr.arpa. PTR Mon Apr 1 05:48:04 2013 http://dnssec-debugger.verisignlabs.com/196.25.224.177.in-addr.arpa http://dnsviz.net/d/196.25.224.177.in-addr.arpa/dnssec/
75.251.224.177.in-addr.arpa. PTR Mon Apr 1 01:41:05 2013 http://dnssec-debugger.verisignlabs.com/75.251.224.177.in-addr.arpa http://dnsviz.net/d/75.251.224.177.in-addr.arpa/dnssec/
198.73.224.177.in-addr.arpa. PTR Mon Apr 1 01:27:51 2013 http://dnssec-debugger.verisignlabs.com/198.73.224.177.in-addr.arpa http://dnsviz.net/d/198.73.224.177.in-addr.arpa/dnssec/
85.77.225.177.in-addr.arpa. PTR Mon Apr 1 11:56:40 2013 http://dnssec-debugger.verisignlabs.com/85.77.225.177.in-addr.arpa http://dnsviz.net/d/85.77.225.177.in-addr.arpa/dnssec/
96.106.227.177.in-addr.arpa. PTR Mon Apr 1 01:29:14 2013 http://dnssec-debugger.verisignlabs.com/96.106.227.177.in-addr.arpa http://dnsviz.net/d/96.106.227.177.in-addr.arpa/dnssec/
171.205.227.177.in-addr.arpa. PTR Mon Apr 1 02:06:04 2013 http://dnssec-debugger.verisignlabs.com/171.205.227.177.in-addr.arpa http://dnsviz.net/d/171.205.227.177.in-addr.arpa/dnssec/
22.207.23.177.in-addr.arpa. PTR Mon Apr 1 14:57:23 2013 http://dnssec-debugger.verisignlabs.com/22.207.23.177.in-addr.arpa http://dnsviz.net/d/22.207.23.177.in-addr.arpa/dnssec/
64.19.36.177.in-addr.arpa. PTR Mon Apr 1 00:22:26 2013 http://dnssec-debugger.verisignlabs.com/64.19.36.177.in-addr.arpa http://dnsviz.net/d/64.19.36.177.in-addr.arpa/dnssec/
6.243.36.177.in-addr.arpa. PTR Sun Mar 31 21:58:24 2013 http://dnssec-debugger.verisignlabs.com/6.243.36.177.in-addr.arpa http://dnsviz.net/d/6.243.36.177.in-addr.arpa/dnssec/
12.179.38.177.in-addr.arpa. PTR Mon Apr 1 13:35:10 2013 http://dnssec-debugger.verisignlabs.com/12.179.38.177.in-addr.arpa http://dnsviz.net/d/12.179.38.177.in-addr.arpa/dnssec/
188.241.39.177.in-addr.arpa. PTR Mon Apr 1 05:35:05 2013 http://dnssec-debugger.verisignlabs.com/188.241.39.177.in-addr.arpa http://dnsviz.net/d/188.241.39.177.in-addr.arpa/dnssec/
212.12.40.177.in-addr.arpa. PTR Sun Mar 31 20:56:57 2013 http://dnssec-debugger.verisignlabs.com/212.12.40.177.in-addr.arpa http://dnsviz.net/d/212.12.40.177.in-addr.arpa/dnssec/
107.116.43.177.in-addr.arpa. PTR Mon Apr 1 15:14:11 2013 http://dnssec-debugger.verisignlabs.com/107.116.43.177.in-addr.arpa http://dnsviz.net/d/107.116.43.177.in-addr.arpa/dnssec/
130.151.44.177.in-addr.arpa. PTR Mon Apr 1 14:26:50 2013 http://dnssec-debugger.verisignlabs.com/130.151.44.177.in-addr.arpa http://dnsviz.net/d/130.151.44.177.in-addr.arpa/dnssec/
44.126.47.177.in-addr.arpa. PTR Mon Apr 1 10:13:17 2013 http://dnssec-debugger.verisignlabs.com/44.126.47.177.in-addr.arpa http://dnsviz.net/d/44.126.47.177.in-addr.arpa/dnssec/
19.127.47.177.in-addr.arpa. PTR Mon Apr 1 06:03:02 2013 http://dnssec-debugger.verisignlabs.com/19.127.47.177.in-addr.arpa http://dnsviz.net/d/19.127.47.177.in-addr.arpa/dnssec/
43.74.47.177.in-addr.arpa. PTR Sun Mar 31 21:59:27 2013 http://dnssec-debugger.verisignlabs.com/43.74.47.177.in-addr.arpa http://dnsviz.net/d/43.74.47.177.in-addr.arpa/dnssec/
228.47.53.177.in-addr.arpa. PTR Mon Apr 1 11:48:51 2013 http://dnssec-debugger.verisignlabs.com/228.47.53.177.in-addr.arpa http://dnsviz.net/d/228.47.53.177.in-addr.arpa/dnssec/
161.148.55.177.in-addr.arpa. PTR Mon Apr 1 05:08:40 2013 http://dnssec-debugger.verisignlabs.com/161.148.55.177.in-addr.arpa http://dnsviz.net/d/161.148.55.177.in-addr.arpa/dnssec/
253.183.55.177.in-addr.arpa. PTR Mon Apr 1 12:11:17 2013 http://dnssec-debugger.verisignlabs.com/253.183.55.177.in-addr.arpa http://dnsviz.net/d/253.183.55.177.in-addr.arpa/dnssec/
66.105.66.177.in-addr.arpa. PTR Mon Apr 1 01:19:54 2013 http://dnssec-debugger.verisignlabs.com/66.105.66.177.in-addr.arpa http://dnsviz.net/d/66.105.66.177.in-addr.arpa/dnssec/
145.164.69.177.in-addr.arpa. PTR Mon Apr 1 10:35:21 2013 http://dnssec-debugger.verisignlabs.com/145.164.69.177.in-addr.arpa http://dnsviz.net/d/145.164.69.177.in-addr.arpa/dnssec/
109.219.69.177.in-addr.arpa. PTR Mon Apr 1 13:35:32 2013 http://dnssec-debugger.verisignlabs.com/109.219.69.177.in-addr.arpa http://dnsviz.net/d/109.219.69.177.in-addr.arpa/dnssec/
252.139.75.177.in-addr.arpa. PTR Mon Apr 1 11:27:14 2013 http://dnssec-debugger.verisignlabs.com/252.139.75.177.in-addr.arpa http://dnsviz.net/d/252.139.75.177.in-addr.arpa/dnssec/
72.80.75.177.in-addr.arpa. PTR Mon Apr 1 11:16:03 2013 http://dnssec-debugger.verisignlabs.com/72.80.75.177.in-addr.arpa http://dnsviz.net/d/72.80.75.177.in-addr.arpa/dnssec/
19.142.84.177.in-addr.arpa. PTR Mon Apr 1 11:19:53 2013 http://dnssec-debugger.verisignlabs.com/19.142.84.177.in-addr.arpa http://dnsviz.net/d/19.142.84.177.in-addr.arpa/dnssec/
105.2.85.177.in-addr.arpa. PTR Mon Apr 1 00:52:24 2013 http://dnssec-debugger.verisignlabs.com/105.2.85.177.in-addr.arpa http://dnsviz.net/d/105.2.85.177.in-addr.arpa/dnssec/
46.241.87.177.in-addr.arpa. PTR Mon Apr 1 00:56:23 2013 http://dnssec-debugger.verisignlabs.com/46.241.87.177.in-addr.arpa http://dnsviz.net/d/46.241.87.177.in-addr.arpa/dnssec/
117.167.99.177.in-addr.arpa. PTR Mon Apr 1 01:25:39 2013 http://dnssec-debugger.verisignlabs.com/117.167.99.177.in-addr.arpa http://dnsviz.net/d/117.167.99.177.in-addr.arpa/dnssec/
120.167.99.177.in-addr.arpa. PTR Mon Apr 1 00:57:11 2013 http://dnssec-debugger.verisignlabs.com/120.167.99.177.in-addr.arpa http://dnsviz.net/d/120.167.99.177.in-addr.arpa/dnssec/
27.186.99.177.in-addr.arpa. PTR Mon Apr 1 01:46:10 2013 http://dnssec-debugger.verisignlabs.com/27.186.99.177.in-addr.arpa http://dnsviz.net/d/27.186.99.177.in-addr.arpa/dnssec/
4.32.173.63.in-addr.arpa. PTR Mon Apr 1 04:42:47 2013 http://dnssec-debugger.verisignlabs.com/4.32.173.63.in-addr.arpa http://dnsviz.net/d/4.32.173.63.in-addr.arpa/dnssec/
130.188.169.65.in-addr.arpa. PTR Mon Apr 1 05:36:32 2013 http://dnssec-debugger.verisignlabs.com/130.188.169.65.in-addr.arpa http://dnsviz.net/d/130.188.169.65.in-addr.arpa/dnssec/
ip-189.90.54-254.globalwave.com.br. A Wed Apr 3 13:46:14 2013 http://dnssec-debugger.verisignlabs.com/ip-189.90.54-254.globalwave.com.br http://dnsviz.net/d/ip-189.90.54-254.globalwave.com.br/dnssec/
ip-189.90.54-254.globalwave.com.br. AAAA Wed Apr 3 13:46:13 2013 http://dnssec-debugger.verisignlabs.com/ip-189.90.54-254.globalwave.com.br http://dnsviz.net/d/ip-189.90.54-254.globalwave.com.br/dnssec/
mailjet._domainkey.ink361.com. TXT Thu Apr 4 19:28:02 2013 http://dnssec-debugger.verisignlabs.com/mailjet._domainkey.ink361.com http://dnsviz.net/d/mailjet._domainkey.ink361.com/dnssec/
internetgremlin.com. NS Tue Apr 2 11:10:06 2013 http://dnssec-debugger.verisignlabs.com/internetgremlin.com http://dnsviz.net/d/internetgremlin.com/dnssec/
custmail.internetgremlin.com. A Tue Apr 2 11:06:12 2013 http://dnssec-debugger.verisignlabs.com/custmail.internetgremlin.com http://dnsviz.net/d/custmail.internetgremlin.com/dnssec/
ns3.internetgremlin.com. A Tue Apr 2 11:10:06 2013 http://dnssec-debugger.verisignlabs.com/ns3.internetgremlin.com http://dnsviz.net/d/ns3.internetgremlin.com/dnssec/
ns4.internetgremlin.com. A Tue Apr 2 11:10:06 2013 http://dnssec-debugger.verisignlabs.com/ns4.internetgremlin.com http://dnsviz.net/d/ns4.internetgremlin.com/dnssec/
_adsp._domainkey.rubenkerkhof.com. TXT Wed Apr 3 06:39:50 2013 http://dnssec-debugger.verisignlabs.com/_adsp._domainkey.rubenkerkhof.com http://dnsviz.net/d/_adsp._domainkey.rubenkerkhof.com/dnssec/
blogs.loc.gov. AAAA Mon Apr 1 22:09:22 2013 http://dnssec-debugger.verisignlabs.com/blogs.loc.gov http://dnsviz.net/d/blogs.loc.gov/dnssec/
frm.li. NS Sat Apr 6 14:10:10 2013 http://dnssec-debugger.verisignlabs.com/frm.li http://dnsviz.net/d/frm.li/dnssec/
google.com.mm. NS Mon Apr 1 04:10:07 2013 http://dnssec-debugger.verisignlabs.com/google.com.mm http://dnsviz.net/d/google.com.mm/dnssec/
mpt.net.mm. NS Mon Apr 1 04:10:07 2013 http://dnssec-debugger.verisignlabs.com/mpt.net.mm http://dnsviz.net/d/mpt.net.mm/dnssec/
nic.net.mm. NS Mon Apr 1 04:10:07 2013 http://dnssec-debugger.verisignlabs.com/nic.net.mm http://dnsviz.net/d/nic.net.mm/dnssec/
nic.mm. NS Mon Apr 1 04:10:07 2013 http://dnssec-debugger.verisignlabs.com/nic.mm http://dnsviz.net/d/nic.mm/dnssec/
clasconsultants.net. NS Tue Apr 2 11:10:06 2013 http://dnssec-debugger.verisignlabs.com/clasconsultants.net http://dnsviz.net/d/clasconsultants.net/dnssec/
lists.clasconsultants.net. AAAA Tue Apr 2 11:06:19 2013 http://dnssec-debugger.verisignlabs.com/lists.clasconsultants.net http://dnsviz.net/d/lists.clasconsultants.net/dnssec/
lists.clasconsultants.net. A Tue Apr 2 11:06:19 2013 http://dnssec-debugger.verisignlabs.com/lists.clasconsultants.net http://dnsviz.net/d/lists.clasconsultants.net/dnssec/
sugarlabs.net. NS Sat Apr 6 14:10:10 2013 http://dnssec-debugger.verisignlabs.com/sugarlabs.net http://dnsviz.net/d/sugarlabs.net/dnssec/
ns2.sugarlabs.net. A Sat Apr 6 10:54:12 2013 http://dnssec-debugger.verisignlabs.com/ns2.sugarlabs.net http://dnsviz.net/d/ns2.sugarlabs.net/dnssec/
2times.nl. MX Fri Apr 5 14:18:32 2013 http://dnssec-debugger.verisignlabs.com/2times.nl http://dnsviz.net/d/2times.nl/dnssec/
2times.nl. NS Sat Apr 6 14:10:10 2013 http://dnssec-debugger.verisignlabs.com/2times.nl http://dnsviz.net/d/2times.nl/dnssec/
aol.org. NS Sat Apr 6 14:10:11 2013 http://dnssec-debugger.verisignlabs.com/aol.org http://dnsviz.net/d/aol.org/dnssec/
dnssec-failed.org. NS Sat Apr 6 14:10:10 2013 http://dnssec-debugger.verisignlabs.com/dnssec-failed.org http://dnsviz.net/d/dnssec-failed.org/dnssec/
subdesu.org. NS Sat Apr 6 14:10:10 2013 http://dnssec-debugger.verisignlabs.com/subdesu.org http://dnsviz.net/d/subdesu.org/dnssec/
www.subdesu.org. A Sat Apr 6 14:37:17 2013 http://dnssec-debugger.verisignlabs.com/www.subdesu.org http://dnsviz.net/d/www.subdesu.org/dnssec/
www.subdesu.org. AAAA Sat Apr 6 14:37:17 2013 http://dnssec-debugger.verisignlabs.com/www.subdesu.org http://dnsviz.net/d/www.subdesu.org/dnssec/
kilotin.se. NS Sat Apr 6 14:10:10 2013 http://dnssec-debugger.verisignlabs.com/kilotin.se http://dnsviz.net/d/kilotin.se/dnssec/
www.kilotin.se. A Fri Apr 5 12:07:22 2013 http://dnssec-debugger.verisignlabs.com/www.kilotin.se http://dnsviz.net/d/www.kilotin.se/dnssec/
www.kilotin.se. AAAA Fri Apr 5 12:07:22 2013 http://dnssec-debugger.verisignlabs.com/www.kilotin.se http://dnsviz.net/d/www.kilotin.se/dnssec/
peterbance.co.uk. A Tue Apr 2 11:08:20 2013 http://dnssec-debugger.verisignlabs.com/peterbance.co.uk http://dnsviz.net/d/peterbance.co.uk/dnssec/
peterbance.co.uk. AAAA Wed Apr 3 07:01:39 2013 http://dnssec-debugger.verisignlabs.com/peterbance.co.uk http://dnsviz.net/d/peterbance.co.uk/dnssec/
peterbance.co.uk. NS Tue Apr 2 11:10:06 2013 http://dnssec-debugger.verisignlabs.com/peterbance.co.uk http://dnsviz.net/d/peterbance.co.uk/dnssec/

Comments

DNSSEC for the whole of the 177.* reverse DNS tree was broken for at least two days.

DNSSEC for the whole of the mm. (Myanmar/Burma) ccTLD was broken for at least two days. It looks like they botched their re-sign, as has happened several times before.

Still broken

The following domains appear to still be broken at time of writing.

  • globalwave.com.br
  • ink361.com
  • frm.li
  • sugarlabs.net
  • 2times.nl
  • aol.org
  • dnssec-failed.org
  • subdesu.org
  • kilotin.se

Unless they get fixed they will not be resolvable from BitFolk after Monday 29th April 2013. If you have an interest in being able to resolve them from BitFolk then you should take your own steps to try to get them fixed, e.g. by contacting them now.

Anything not listed here got fixed.

29th April 2013: Validation was enabled

Full DNSSEC validation was enabled on this date.