Thanks, that’s helpful, I guess it should be possible to setup something like this on our own.
Thinking aloud - perhaps it is the combination of valid and invalid algorithm (aka unfinished algorithm rollover) that is broken? We will look into this. Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 31. 10. 2025, at 13:25, [email protected] wrote: > > >> >> Can we have a couple of reproducers please? >> >> We do run tests on RHEL-like 8,9,10 and no current test caught failure like >> that, so having a solid reproducer would be nice. > > The zone in question is globalconnect.no, which currently has 2 DNSKEY > alg 7 (ZSK and KSK), and 2 DNSKEY alg 13: > > globalconnect.no. 86400 IN DNSKEY 256 3 13 ( > PgfR2bY3UuhvNMY5iwh0lBAunsF+1U5rTMCPJpe2yyEn > Gz7Uf0ZAW4Y+gHJ7dyhuZy4IrCLdr8oQtPXa/z8IdA== > ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 11766 > globalconnect.no. 86400 IN DNSKEY 257 3 7 ( > AwEAAcohltTqte+Dh5ILQQJc6H+hptQDzfwd3IKJCvUL > 8EOolAOBnXKxExA1rDCvLdk5OUQhp3kG4JAmOjQVefCN > d/1GrfIEDnQ4e4NvRCgQEudb4MjOetwlRC6thFYiP5no > bzc4kiQpTWBNwDZVG0JUhWbJe6qlg+ltf3DvJqBNv97t > k7SER7GpBeQP/xC7M9l6P1Lg0+VUecO0RKJSv1weFcsD > 6bKpEZEvVWznxdS4poi+jXCtw+n2Tz0ThEv5/+bbPjqU > jal1m0Y/ikjmuNSQFPYTLpzYzFHrtNOCr0zB3IYjBTEt > qvhYP6qM90Qf9k7QJqFA5+W8xNBJi5qmP6LJq0M= > ) ; KSK; alg = NSEC3RSASHA1 ; key id = 57648 > globalconnect.no. 86400 IN DNSKEY 257 3 13 ( > DiJpDhQC3P+Wl/XgG+tcUE7Vkg4LlOEUeLW7DyMqghVG > 4Fb8mQcDE47l+czT7F1e5OF+mNVI3Iwhl0NQ2iXlpw== > ) ; KSK; alg = ECDSAP256SHA256 ; key id = 17792 > globalconnect.no. 86400 IN DNSKEY 256 3 7 ( > AwEAAb8QfXz1Unqt6DOAN2WfpG2/4AE+X1nXbf2e17GM > /UfHFvVMvSBxzZjKH7tms9pbMHK8aKBj9J1K88he0TWn > LDH4/F7BcQkPziAFUmP8hWWukjrDTgi+mwG5Vc144K7w > HogAu0ZuRQUr0Nb8cBNg9Qc9XqbsXGIcRScoyfrncqV6 > fKjFGHtmCMYLKhfljrA7uVlZJ6hIlLFhIBhlquDovn9P > ERnhkJAtqyPi3wN29hiSXapGGY0FDPu/6lBi8Eubu2Lq > OdtgkH781orUvXX2YmeOa6yqvq5GzUYjG8FqDEoQ1i+O > LoxihH5eWEn++f/XS2SdFMwXzW+zT9nyz8gyLSU= > ) ; ZSK; alg = NSEC3RSASHA1 ; key id = 2690 > > I discovered the problem this morning (Norwegian time) because I tried to > send an email to [email protected] from MY home (on Telenor Internet), > and got a SERVFAIL from Bjørn's resolvers. > > Note that globalconnect.no is in the process of being updated, removing > the alg 7 DNSKEYs, so I don't know for how much longer you'll be able to > see this. > > Steinar Haug, AS2116 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
