HI Linas, Sorry, this was a false alarm. The evaluation was 4 days old (from 7/22). I forced the site to re-evaluate and the errors went away. Now we're just down to the glue record warning, but the domain is secure. -derek
On Mon, July 26, 2021 10:20 am, Derek Atkins wrote: > HI, > > There was a bug report when DNSsec was down, which pointed to a reddit > thread, which pointed me to https://dnsviz.net/d/www.gnucash.org/dnssec/ > This is an interesting website which is pointing out two issues with the > gnucash.org domain: > > 1) A warning that the glue records for my nameserver don't match the > authoritative data. The issue here is that I have multiple IPv6 addresses > for that server, but only one of them is listed in the glue record. As of > right now, I can't figure out a way to list multiple v6 addresses in the > glue record. I've reached out to my DNS registrar to figure out if there > is a way to fix this, but a quick google search seems to imply that it is > not supported. :( > > 2) An error that there are no valid RRSIGs created by a key corresponding > to a DS RR covering the DNSKEY RRset, resulting in no secure entry point > (SEP) into the zone. This seems to imply you need to go to the > gnucash.org registrar and make sure the DS record(s) there correspond to > the correct keys you've got locally. > > For some reason they still have the expired sigs cached. Not sure why, > other than that they have a 3-day TTL, but that should have expired at > least by yesterday. > > We should get these issues fixed. > > -derek > > -- > Derek Atkins 617-623-3745 > de...@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > _______________________________________________ > gnucash-devel mailing list > gnucash-devel@gnucash.org > https://lists.gnucash.org/mailman/listinfo/gnucash-devel > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel