DNSSEC

This article describes the implementation of DNSSEC as it relates to BitFolk and its customers.

What

"The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality."

– DNSSEC at Wikipedia

Implementation at BitFolk

There's several different places where DNSSEC can be implemented:

BitFolk's DNS resolvers

The things you have configured in your /etc/resolv.conf

BitFolk's domains

i.e., bitfolk.com and bitfolk.co.uk

Your domains

Your domains

Easy one out of the way first.. there's nothing BitFolk needs to do in order to support DNSSEC records in your domains.

If you want to enable DNSSEC on your domains you should go ahead and do that; BitFolk's secondary DNS servers will serve those records without issue.

Clients will of course still need to use a validating resolver in order to gain any benefit from you having enabled DNSSEC.

BitFolk's domains

We'll start looking into enabling DNSSEC for bitfolk.com and bitfolk.co.uk once BitFolk's resolvers have DNSSEC support.

Aside from the obvious benefits of protecting against mangling of our DNS data, supporting DNSSEC in bitfolk.com will allow us to publish SSHFP and DANE records. SSHFP particularly will help customers to trust that they really are connecting to a BitFolk host the first time they need to connect to their console. At the moment that is somewhat awkward.

BitFolk's DNS resolvers

Enabling DNSSEC validation on BitFolk's resolvers is quite a big deal, because almost every customer users those resolvers for all their traffic, and it is expected that enabling validation will cause some degree of breakage – there will be a non-zero number of domains that have enabled DNSSEC incorrectly thus making themselves unresolvable by a validating resolver. We therefore have to plan this quite carefully.

26th March 2013: Initial consultation

An initial consultation was posted to the users mailing list to decide how best to handle this.

27th March 2013: Test resolver made available

A test resolver with DNSSEC validation enabled was made available on 85.119.80.243. You can either put all your traffic through it by replacing all IPs in your /etc/resolv.conf with this IP address, or else you can test specific queries against this resolver:

dig -t a www.dnssec-failed.org @85.119.80.243
dig -t txt test.dnssec-or-not.net @85.119.80.243

29th March 2013: Plan announced

The schedule for enabling DNSSEC was posted to the announce mailing list.

30th March 2013: Permissive mode enabled

DNSSEC validation in permissive mode was enabled on BitFolk's production resolvers. This performs validation but in the event of a validation failure merely logs the problem and still returns the answer as normal. It will allow us to gauge the impact of enabling validation for real.

6th April 2013: Analysis of validation logs

An analysis of DNSSEC validation failures in the logs from 30th March onwards:

DNSSEC validation failures
Domain	QTYPE	Last failure time	DNSSEC Debugger	DNSViz
177.in-addr.arpa.	NS	Mon Apr 1 12:10:07 2013	http://dnssec-debugger.verisignlabs.com/177.in-addr.arpa	http://dnsviz.net/d/177.in-addr.arpa/dnssec/
56.215.0.177.in-addr.arpa.	PTR	Mon Apr 1 13:33:44 2013	http://dnssec-debugger.verisignlabs.com/56.215.0.177.in-addr.arpa	http://dnsviz.net/d/56.215.0.177.in-addr.arpa/dnssec/
29.97.0.177.in-addr.arpa.	PTR	Mon Apr 1 11:45:35 2013	http://dnssec-debugger.verisignlabs.com/29.97.0.177.in-addr.arpa	http://dnsviz.net/d/29.97.0.177.in-addr.arpa/dnssec/
67.222.1.177.in-addr.arpa.	PTR	Mon Apr 1 11:57:38 2013	http://dnssec-debugger.verisignlabs.com/67.222.1.177.in-addr.arpa	http://dnsviz.net/d/67.222.1.177.in-addr.arpa/dnssec/
44.225.100.177.in-addr.arpa.	PTR	Sun Mar 31 21:55:56 2013	http://dnssec-debugger.verisignlabs.com/44.225.100.177.in-addr.arpa	http://dnsviz.net/d/44.225.100.177.in-addr.arpa/dnssec/
51.233.100.177.in-addr.arpa.	PTR	Mon Apr 1 15:08:09 2013	http://dnssec-debugger.verisignlabs.com/51.233.100.177.in-addr.arpa	http://dnsviz.net/d/51.233.100.177.in-addr.arpa/dnssec/
59.251.100.177.in-addr.arpa.	PTR	Mon Apr 1 02:02:38 2013	http://dnssec-debugger.verisignlabs.com/59.251.100.177.in-addr.arpa	http://dnsviz.net/d/59.251.100.177.in-addr.arpa/dnssec/
115.202.103.177.in-addr.arpa.	PTR	Mon Apr 1 11:54:36 2013	http://dnssec-debugger.verisignlabs.com/115.202.103.177.in-addr.arpa	http://dnsviz.net/d/115.202.103.177.in-addr.arpa/dnssec/
160.143.12.177.in-addr.arpa.	PTR	Mon Apr 1 12:03:34 2013	http://dnssec-debugger.verisignlabs.com/160.143.12.177.in-addr.arpa	http://dnsviz.net/d/160.143.12.177.in-addr.arpa/dnssec/
158.177.12.177.in-addr.arpa.	PTR	Mon Apr 1 13:27:28 2013	http://dnssec-debugger.verisignlabs.com/158.177.12.177.in-addr.arpa	http://dnsviz.net/d/158.177.12.177.in-addr.arpa/dnssec/
90.220.124.177.in-addr.arpa.	PTR	Mon Apr 1 00:27:05 2013	http://dnssec-debugger.verisignlabs.com/90.220.124.177.in-addr.arpa	http://dnsviz.net/d/90.220.124.177.in-addr.arpa/dnssec/
71.18.125.177.in-addr.arpa.	PTR	Sun Mar 31 20:30:26 2013	http://dnssec-debugger.verisignlabs.com/71.18.125.177.in-addr.arpa	http://dnsviz.net/d/71.18.125.177.in-addr.arpa/dnssec/
187.131.130.177.in-addr.arpa.	PTR	Mon Apr 1 14:36:31 2013	http://dnssec-debugger.verisignlabs.com/187.131.130.177.in-addr.arpa	http://dnsviz.net/d/187.131.130.177.in-addr.arpa/dnssec/
26.243.131.177.in-addr.arpa.	PTR	Sun Mar 31 23:07:26 2013	http://dnssec-debugger.verisignlabs.com/26.243.131.177.in-addr.arpa	http://dnsviz.net/d/26.243.131.177.in-addr.arpa/dnssec/
19.20.132.177.in-addr.arpa.	PTR	Sun Mar 31 23:10:20 2013	http://dnssec-debugger.verisignlabs.com/19.20.132.177.in-addr.arpa	http://dnsviz.net/d/19.20.132.177.in-addr.arpa/dnssec/
46.226.139.177.in-addr.arpa.	PTR	Mon Apr 1 11:10:50 2013	http://dnssec-debugger.verisignlabs.com/46.226.139.177.in-addr.arpa	http://dnsviz.net/d/46.226.139.177.in-addr.arpa/dnssec/
140.242.139.177.in-addr.arpa.	PTR	Mon Apr 1 11:53:29 2013	http://dnssec-debugger.verisignlabs.com/140.242.139.177.in-addr.arpa	http://dnsviz.net/d/140.242.139.177.in-addr.arpa/dnssec/
40.45.154.177.in-addr.arpa.	PTR	Sun Mar 31 23:00:09 2013	http://dnssec-debugger.verisignlabs.com/40.45.154.177.in-addr.arpa	http://dnsviz.net/d/40.45.154.177.in-addr.arpa/dnssec/
230.40.156.177.in-addr.arpa.	PTR	Sun Mar 31 22:17:27 2013	http://dnssec-debugger.verisignlabs.com/230.40.156.177.in-addr.arpa	http://dnsviz.net/d/230.40.156.177.in-addr.arpa/dnssec/
7.222.157.177.in-addr.arpa.	PTR	Mon Apr 1 14:37:17 2013	http://dnssec-debugger.verisignlabs.com/7.222.157.177.in-addr.arpa	http://dnsviz.net/d/7.222.157.177.in-addr.arpa/dnssec/
153.192.177.177.in-addr.arpa.	PTR	Sun Mar 31 21:06:11 2013	http://dnssec-debugger.verisignlabs.com/153.192.177.177.in-addr.arpa	http://dnsviz.net/d/153.192.177.177.in-addr.arpa/dnssec/
130.242.177.177.in-addr.arpa.	PTR	Sun Mar 31 21:14:46 2013	http://dnssec-debugger.verisignlabs.com/130.242.177.177.in-addr.arpa	http://dnsviz.net/d/130.242.177.177.in-addr.arpa/dnssec/
154.132.19.177.in-addr.arpa.	PTR	Mon Apr 1 05:20:22 2013	http://dnssec-debugger.verisignlabs.com/154.132.19.177.in-addr.arpa	http://dnsviz.net/d/154.132.19.177.in-addr.arpa/dnssec/
80.187.194.177.in-addr.arpa.	PTR	Mon Apr 1 11:51:34 2013	http://dnssec-debugger.verisignlabs.com/80.187.194.177.in-addr.arpa	http://dnsviz.net/d/80.187.194.177.in-addr.arpa/dnssec/
251.239.195.177.in-addr.arpa.	PTR	Mon Apr 1 14:30:21 2013	http://dnssec-debugger.verisignlabs.com/251.239.195.177.in-addr.arpa	http://dnsviz.net/d/251.239.195.177.in-addr.arpa/dnssec/
5.246.20.177.in-addr.arpa.	PTR	Mon Apr 1 10:13:46 2013	http://dnssec-debugger.verisignlabs.com/5.246.20.177.in-addr.arpa	http://dnsviz.net/d/5.246.20.177.in-addr.arpa/dnssec/
157.45.202.177.in-addr.arpa.	PTR	Mon Apr 1 11:08:34 2013	http://dnssec-debugger.verisignlabs.com/157.45.202.177.in-addr.arpa	http://dnsviz.net/d/157.45.202.177.in-addr.arpa/dnssec/
40.20.203.177.in-addr.arpa.	PTR	Mon Apr 1 11:49:15 2013	http://dnssec-debugger.verisignlabs.com/40.20.203.177.in-addr.arpa	http://dnsviz.net/d/40.20.203.177.in-addr.arpa/dnssec/
42.147.21.177.in-addr.arpa.	PTR	Mon Apr 1 15:01:09 2013	http://dnssec-debugger.verisignlabs.com/42.147.21.177.in-addr.arpa	http://dnsviz.net/d/42.147.21.177.in-addr.arpa/dnssec/
2.229.21.177.in-addr.arpa.	PTR	Mon Apr 1 15:04:17 2013	http://dnssec-debugger.verisignlabs.com/2.229.21.177.in-addr.arpa	http://dnsviz.net/d/2.229.21.177.in-addr.arpa/dnssec/
132.16.224.177.in-addr.arpa.	PTR	Mon Apr 1 05:34:29 2013	http://dnssec-debugger.verisignlabs.com/132.16.224.177.in-addr.arpa	http://dnsviz.net/d/132.16.224.177.in-addr.arpa/dnssec/
196.25.224.177.in-addr.arpa.	PTR	Mon Apr 1 05:48:04 2013	http://dnssec-debugger.verisignlabs.com/196.25.224.177.in-addr.arpa	http://dnsviz.net/d/196.25.224.177.in-addr.arpa/dnssec/
75.251.224.177.in-addr.arpa.	PTR	Mon Apr 1 01:41:05 2013	http://dnssec-debugger.verisignlabs.com/75.251.224.177.in-addr.arpa	http://dnsviz.net/d/75.251.224.177.in-addr.arpa/dnssec/
198.73.224.177.in-addr.arpa.	PTR	Mon Apr 1 01:27:51 2013	http://dnssec-debugger.verisignlabs.com/198.73.224.177.in-addr.arpa	http://dnsviz.net/d/198.73.224.177.in-addr.arpa/dnssec/
85.77.225.177.in-addr.arpa.	PTR	Mon Apr 1 11:56:40 2013	http://dnssec-debugger.verisignlabs.com/85.77.225.177.in-addr.arpa	http://dnsviz.net/d/85.77.225.177.in-addr.arpa/dnssec/
96.106.227.177.in-addr.arpa.	PTR	Mon Apr 1 01:29:14 2013	http://dnssec-debugger.verisignlabs.com/96.106.227.177.in-addr.arpa	http://dnsviz.net/d/96.106.227.177.in-addr.arpa/dnssec/
171.205.227.177.in-addr.arpa.	PTR	Mon Apr 1 02:06:04 2013	http://dnssec-debugger.verisignlabs.com/171.205.227.177.in-addr.arpa	http://dnsviz.net/d/171.205.227.177.in-addr.arpa/dnssec/
22.207.23.177.in-addr.arpa.	PTR	Mon Apr 1 14:57:23 2013	http://dnssec-debugger.verisignlabs.com/22.207.23.177.in-addr.arpa	http://dnsviz.net/d/22.207.23.177.in-addr.arpa/dnssec/
64.19.36.177.in-addr.arpa.	PTR	Mon Apr 1 00:22:26 2013	http://dnssec-debugger.verisignlabs.com/64.19.36.177.in-addr.arpa	http://dnsviz.net/d/64.19.36.177.in-addr.arpa/dnssec/
6.243.36.177.in-addr.arpa.	PTR	Sun Mar 31 21:58:24 2013	http://dnssec-debugger.verisignlabs.com/6.243.36.177.in-addr.arpa	http://dnsviz.net/d/6.243.36.177.in-addr.arpa/dnssec/
12.179.38.177.in-addr.arpa.	PTR	Mon Apr 1 13:35:10 2013	http://dnssec-debugger.verisignlabs.com/12.179.38.177.in-addr.arpa	http://dnsviz.net/d/12.179.38.177.in-addr.arpa/dnssec/
188.241.39.177.in-addr.arpa.	PTR	Mon Apr 1 05:35:05 2013	http://dnssec-debugger.verisignlabs.com/188.241.39.177.in-addr.arpa	http://dnsviz.net/d/188.241.39.177.in-addr.arpa/dnssec/
212.12.40.177.in-addr.arpa.	PTR	Sun Mar 31 20:56:57 2013	http://dnssec-debugger.verisignlabs.com/212.12.40.177.in-addr.arpa	http://dnsviz.net/d/212.12.40.177.in-addr.arpa/dnssec/
107.116.43.177.in-addr.arpa.	PTR	Mon Apr 1 15:14:11 2013	http://dnssec-debugger.verisignlabs.com/107.116.43.177.in-addr.arpa	http://dnsviz.net/d/107.116.43.177.in-addr.arpa/dnssec/
130.151.44.177.in-addr.arpa.	PTR	Mon Apr 1 14:26:50 2013	http://dnssec-debugger.verisignlabs.com/130.151.44.177.in-addr.arpa	http://dnsviz.net/d/130.151.44.177.in-addr.arpa/dnssec/
44.126.47.177.in-addr.arpa.	PTR	Mon Apr 1 10:13:17 2013	http://dnssec-debugger.verisignlabs.com/44.126.47.177.in-addr.arpa	http://dnsviz.net/d/44.126.47.177.in-addr.arpa/dnssec/
19.127.47.177.in-addr.arpa.	PTR	Mon Apr 1 06:03:02 2013	http://dnssec-debugger.verisignlabs.com/19.127.47.177.in-addr.arpa	http://dnsviz.net/d/19.127.47.177.in-addr.arpa/dnssec/
43.74.47.177.in-addr.arpa.	PTR	Sun Mar 31 21:59:27 2013	http://dnssec-debugger.verisignlabs.com/43.74.47.177.in-addr.arpa	http://dnsviz.net/d/43.74.47.177.in-addr.arpa/dnssec/
228.47.53.177.in-addr.arpa.	PTR	Mon Apr 1 11:48:51 2013	http://dnssec-debugger.verisignlabs.com/228.47.53.177.in-addr.arpa	http://dnsviz.net/d/228.47.53.177.in-addr.arpa/dnssec/
161.148.55.177.in-addr.arpa.	PTR	Mon Apr 1 05:08:40 2013	http://dnssec-debugger.verisignlabs.com/161.148.55.177.in-addr.arpa	http://dnsviz.net/d/161.148.55.177.in-addr.arpa/dnssec/
253.183.55.177.in-addr.arpa.	PTR	Mon Apr 1 12:11:17 2013	http://dnssec-debugger.verisignlabs.com/253.183.55.177.in-addr.arpa	http://dnsviz.net/d/253.183.55.177.in-addr.arpa/dnssec/
66.105.66.177.in-addr.arpa.	PTR	Mon Apr 1 01:19:54 2013	http://dnssec-debugger.verisignlabs.com/66.105.66.177.in-addr.arpa	http://dnsviz.net/d/66.105.66.177.in-addr.arpa/dnssec/
145.164.69.177.in-addr.arpa.	PTR	Mon Apr 1 10:35:21 2013	http://dnssec-debugger.verisignlabs.com/145.164.69.177.in-addr.arpa	http://dnsviz.net/d/145.164.69.177.in-addr.arpa/dnssec/
109.219.69.177.in-addr.arpa.	PTR	Mon Apr 1 13:35:32 2013	http://dnssec-debugger.verisignlabs.com/109.219.69.177.in-addr.arpa	http://dnsviz.net/d/109.219.69.177.in-addr.arpa/dnssec/
252.139.75.177.in-addr.arpa.	PTR	Mon Apr 1 11:27:14 2013	http://dnssec-debugger.verisignlabs.com/252.139.75.177.in-addr.arpa	http://dnsviz.net/d/252.139.75.177.in-addr.arpa/dnssec/
72.80.75.177.in-addr.arpa.	PTR	Mon Apr 1 11:16:03 2013	http://dnssec-debugger.verisignlabs.com/72.80.75.177.in-addr.arpa	http://dnsviz.net/d/72.80.75.177.in-addr.arpa/dnssec/
19.142.84.177.in-addr.arpa.	PTR	Mon Apr 1 11:19:53 2013	http://dnssec-debugger.verisignlabs.com/19.142.84.177.in-addr.arpa	http://dnsviz.net/d/19.142.84.177.in-addr.arpa/dnssec/
105.2.85.177.in-addr.arpa.	PTR	Mon Apr 1 00:52:24 2013	http://dnssec-debugger.verisignlabs.com/105.2.85.177.in-addr.arpa	http://dnsviz.net/d/105.2.85.177.in-addr.arpa/dnssec/
46.241.87.177.in-addr.arpa.	PTR	Mon Apr 1 00:56:23 2013	http://dnssec-debugger.verisignlabs.com/46.241.87.177.in-addr.arpa	http://dnsviz.net/d/46.241.87.177.in-addr.arpa/dnssec/
117.167.99.177.in-addr.arpa.	PTR	Mon Apr 1 01:25:39 2013	http://dnssec-debugger.verisignlabs.com/117.167.99.177.in-addr.arpa	http://dnsviz.net/d/117.167.99.177.in-addr.arpa/dnssec/
120.167.99.177.in-addr.arpa.	PTR	Mon Apr 1 00:57:11 2013	http://dnssec-debugger.verisignlabs.com/120.167.99.177.in-addr.arpa	http://dnsviz.net/d/120.167.99.177.in-addr.arpa/dnssec/
27.186.99.177.in-addr.arpa.	PTR	Mon Apr 1 01:46:10 2013	http://dnssec-debugger.verisignlabs.com/27.186.99.177.in-addr.arpa	http://dnsviz.net/d/27.186.99.177.in-addr.arpa/dnssec/
4.32.173.63.in-addr.arpa.	PTR	Mon Apr 1 04:42:47 2013	http://dnssec-debugger.verisignlabs.com/4.32.173.63.in-addr.arpa	http://dnsviz.net/d/4.32.173.63.in-addr.arpa/dnssec/
130.188.169.65.in-addr.arpa.	PTR	Mon Apr 1 05:36:32 2013	http://dnssec-debugger.verisignlabs.com/130.188.169.65.in-addr.arpa	http://dnsviz.net/d/130.188.169.65.in-addr.arpa/dnssec/
ip-189.90.54-254.globalwave.com.br.	A	Wed Apr 3 13:46:14 2013	http://dnssec-debugger.verisignlabs.com/ip-189.90.54-254.globalwave.com.br	http://dnsviz.net/d/ip-189.90.54-254.globalwave.com.br/dnssec/
ip-189.90.54-254.globalwave.com.br.	AAAA	Wed Apr 3 13:46:13 2013	http://dnssec-debugger.verisignlabs.com/ip-189.90.54-254.globalwave.com.br	http://dnsviz.net/d/ip-189.90.54-254.globalwave.com.br/dnssec/
mailjet._domainkey.ink361.com.	TXT	Thu Apr 4 19:28:02 2013	http://dnssec-debugger.verisignlabs.com/mailjet._domainkey.ink361.com	http://dnsviz.net/d/mailjet._domainkey.ink361.com/dnssec/
internetgremlin.com.	NS	Tue Apr 2 11:10:06 2013	http://dnssec-debugger.verisignlabs.com/internetgremlin.com	http://dnsviz.net/d/internetgremlin.com/dnssec/
custmail.internetgremlin.com.	A	Tue Apr 2 11:06:12 2013	http://dnssec-debugger.verisignlabs.com/custmail.internetgremlin.com	http://dnsviz.net/d/custmail.internetgremlin.com/dnssec/
ns3.internetgremlin.com.	A	Tue Apr 2 11:10:06 2013	http://dnssec-debugger.verisignlabs.com/ns3.internetgremlin.com	http://dnsviz.net/d/ns3.internetgremlin.com/dnssec/
ns4.internetgremlin.com.	A	Tue Apr 2 11:10:06 2013	http://dnssec-debugger.verisignlabs.com/ns4.internetgremlin.com	http://dnsviz.net/d/ns4.internetgremlin.com/dnssec/
_adsp._domainkey.rubenkerkhof.com.	TXT	Wed Apr 3 06:39:50 2013	http://dnssec-debugger.verisignlabs.com/_adsp._domainkey.rubenkerkhof.com	http://dnsviz.net/d/_adsp._domainkey.rubenkerkhof.com/dnssec/
blogs.loc.gov.	AAAA	Mon Apr 1 22:09:22 2013	http://dnssec-debugger.verisignlabs.com/blogs.loc.gov	http://dnsviz.net/d/blogs.loc.gov/dnssec/
frm.li.	NS	Sat Apr 6 14:10:10 2013	http://dnssec-debugger.verisignlabs.com/frm.li	http://dnsviz.net/d/frm.li/dnssec/
google.com.mm.	NS	Mon Apr 1 04:10:07 2013	http://dnssec-debugger.verisignlabs.com/google.com.mm	http://dnsviz.net/d/google.com.mm/dnssec/
mpt.net.mm.	NS	Mon Apr 1 04:10:07 2013	http://dnssec-debugger.verisignlabs.com/mpt.net.mm	http://dnsviz.net/d/mpt.net.mm/dnssec/
nic.net.mm.	NS	Mon Apr 1 04:10:07 2013	http://dnssec-debugger.verisignlabs.com/nic.net.mm	http://dnsviz.net/d/nic.net.mm/dnssec/
nic.mm.	NS	Mon Apr 1 04:10:07 2013	http://dnssec-debugger.verisignlabs.com/nic.mm	http://dnsviz.net/d/nic.mm/dnssec/
clasconsultants.net.	NS	Tue Apr 2 11:10:06 2013	http://dnssec-debugger.verisignlabs.com/clasconsultants.net	http://dnsviz.net/d/clasconsultants.net/dnssec/
lists.clasconsultants.net.	AAAA	Tue Apr 2 11:06:19 2013	http://dnssec-debugger.verisignlabs.com/lists.clasconsultants.net	http://dnsviz.net/d/lists.clasconsultants.net/dnssec/
lists.clasconsultants.net.	A	Tue Apr 2 11:06:19 2013	http://dnssec-debugger.verisignlabs.com/lists.clasconsultants.net	http://dnsviz.net/d/lists.clasconsultants.net/dnssec/
sugarlabs.net.	NS	Sat Apr 6 14:10:10 2013	http://dnssec-debugger.verisignlabs.com/sugarlabs.net	http://dnsviz.net/d/sugarlabs.net/dnssec/
ns2.sugarlabs.net.	A	Sat Apr 6 10:54:12 2013	http://dnssec-debugger.verisignlabs.com/ns2.sugarlabs.net	http://dnsviz.net/d/ns2.sugarlabs.net/dnssec/
2times.nl.	MX	Fri Apr 5 14:18:32 2013	http://dnssec-debugger.verisignlabs.com/2times.nl	http://dnsviz.net/d/2times.nl/dnssec/
2times.nl.	NS	Sat Apr 6 14:10:10 2013	http://dnssec-debugger.verisignlabs.com/2times.nl	http://dnsviz.net/d/2times.nl/dnssec/
aol.org.	NS	Sat Apr 6 14:10:11 2013	http://dnssec-debugger.verisignlabs.com/aol.org	http://dnsviz.net/d/aol.org/dnssec/
dnssec-failed.org.	NS	Sat Apr 6 14:10:10 2013	http://dnssec-debugger.verisignlabs.com/dnssec-failed.org	http://dnsviz.net/d/dnssec-failed.org/dnssec/
subdesu.org.	NS	Sat Apr 6 14:10:10 2013	http://dnssec-debugger.verisignlabs.com/subdesu.org	http://dnsviz.net/d/subdesu.org/dnssec/
www.subdesu.org.	A	Sat Apr 6 14:37:17 2013	http://dnssec-debugger.verisignlabs.com/www.subdesu.org	http://dnsviz.net/d/www.subdesu.org/dnssec/
www.subdesu.org.	AAAA	Sat Apr 6 14:37:17 2013	http://dnssec-debugger.verisignlabs.com/www.subdesu.org	http://dnsviz.net/d/www.subdesu.org/dnssec/
kilotin.se.	NS	Sat Apr 6 14:10:10 2013	http://dnssec-debugger.verisignlabs.com/kilotin.se	http://dnsviz.net/d/kilotin.se/dnssec/
www.kilotin.se.	A	Fri Apr 5 12:07:22 2013	http://dnssec-debugger.verisignlabs.com/www.kilotin.se	http://dnsviz.net/d/www.kilotin.se/dnssec/
www.kilotin.se.	AAAA	Fri Apr 5 12:07:22 2013	http://dnssec-debugger.verisignlabs.com/www.kilotin.se	http://dnsviz.net/d/www.kilotin.se/dnssec/
peterbance.co.uk.	A	Tue Apr 2 11:08:20 2013	http://dnssec-debugger.verisignlabs.com/peterbance.co.uk	http://dnsviz.net/d/peterbance.co.uk/dnssec/
peterbance.co.uk.	AAAA	Wed Apr 3 07:01:39 2013	http://dnssec-debugger.verisignlabs.com/peterbance.co.uk	http://dnsviz.net/d/peterbance.co.uk/dnssec/
peterbance.co.uk.	NS	Tue Apr 2 11:10:06 2013	http://dnssec-debugger.verisignlabs.com/peterbance.co.uk	http://dnsviz.net/d/peterbance.co.uk/dnssec/

Comments

DNSSEC for the whole of the 177.* reverse DNS tree was broken for at least two days.

DNSSEC for the whole of the mm. (Myanmar/Burma) ccTLD was broken for at least two days. It looks like they botched their re-sign, as has happened several times before.

Still broken

The following domains appear to still be broken at time of writing.

globalwave.com.br
ink361.com
frm.li
sugarlabs.net
2times.nl
aol.org
dnssec-failed.org
subdesu.org
kilotin.se

Unless they get fixed they will not be resolvable from BitFolk after Monday 29th April 2013. If you have an interest in being able to resolve them from BitFolk then you should take your own steps to try to get them fixed, e.g. by contacting them now.

Anything not listed here got fixed.

29th April 2013: Validation was enabled

Full DNSSEC validation was enabled on this date.

Contents

What

Implementation at BitFolk

Your domains

BitFolk's domains

BitFolk's DNS resolvers

26th March 2013: Initial consultation

27th March 2013: Test resolver made available

29th March 2013: Plan announced

30th March 2013: Permissive mode enabled

6th April 2013: Analysis of validation logs

Comments

Still broken

29th April 2013: Validation was enabled

Navigation menu

DNSSEC

What

Implementation at BitFolk

Your domains

BitFolk's domains

BitFolk's DNS resolvers

26th March 2013: Initial consultation

27th March 2013: Test resolver made available

29th March 2013: Plan announced

30th March 2013: Permissive mode enabled

6th April 2013: Analysis of validation logs

Comments

Still broken

29th April 2013: Validation was enabled

Navigation menu

Search