> Can we have a couple of reproducers please?
>
> We do run tests on RHEL-like 8,9,10 and no current test caught failure like
> that, so having a solid reproducer would be nice.
The zone in question is globalconnect.no, which currently has 2 DNSKEY
alg 7 (ZSK and KSK), and 2 DNSKEY alg 13:
globalconnect.no. 86400 IN DNSKEY 256 3 13 (
PgfR2bY3UuhvNMY5iwh0lBAunsF+1U5rTMCPJpe2yyEn
Gz7Uf0ZAW4Y+gHJ7dyhuZy4IrCLdr8oQtPXa/z8IdA==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 11766
globalconnect.no. 86400 IN DNSKEY 257 3 7 (
AwEAAcohltTqte+Dh5ILQQJc6H+hptQDzfwd3IKJCvUL
8EOolAOBnXKxExA1rDCvLdk5OUQhp3kG4JAmOjQVefCN
d/1GrfIEDnQ4e4NvRCgQEudb4MjOetwlRC6thFYiP5no
bzc4kiQpTWBNwDZVG0JUhWbJe6qlg+ltf3DvJqBNv97t
k7SER7GpBeQP/xC7M9l6P1Lg0+VUecO0RKJSv1weFcsD
6bKpEZEvVWznxdS4poi+jXCtw+n2Tz0ThEv5/+bbPjqU
jal1m0Y/ikjmuNSQFPYTLpzYzFHrtNOCr0zB3IYjBTEt
qvhYP6qM90Qf9k7QJqFA5+W8xNBJi5qmP6LJq0M=
) ; KSK; alg = NSEC3RSASHA1 ; key id = 57648
globalconnect.no. 86400 IN DNSKEY 257 3 13 (
DiJpDhQC3P+Wl/XgG+tcUE7Vkg4LlOEUeLW7DyMqghVG
4Fb8mQcDE47l+czT7F1e5OF+mNVI3Iwhl0NQ2iXlpw==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 17792
globalconnect.no. 86400 IN DNSKEY 256 3 7 (
AwEAAb8QfXz1Unqt6DOAN2WfpG2/4AE+X1nXbf2e17GM
/UfHFvVMvSBxzZjKH7tms9pbMHK8aKBj9J1K88he0TWn
LDH4/F7BcQkPziAFUmP8hWWukjrDTgi+mwG5Vc144K7w
HogAu0ZuRQUr0Nb8cBNg9Qc9XqbsXGIcRScoyfrncqV6
fKjFGHtmCMYLKhfljrA7uVlZJ6hIlLFhIBhlquDovn9P
ERnhkJAtqyPi3wN29hiSXapGGY0FDPu/6lBi8Eubu2Lq
OdtgkH781orUvXX2YmeOa6yqvq5GzUYjG8FqDEoQ1i+O
LoxihH5eWEn++f/XS2SdFMwXzW+zT9nyz8gyLSU=
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 2690
I discovered the problem this morning (Norwegian time) because I tried to
send an email to [email protected] from MY home (on Telenor Internet),
and got a SERVFAIL from Bjørn's resolvers.
Note that globalconnect.no is in the process of being updated, removing
the alg 7 DNSKEYs, so I don't know for how much longer you'll be able to
see this.
Steinar Haug, AS2116
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
