There is still another problem that arguably needs to be addressed.
The IETF website (www.ietf.org) is now aliased to Cloudflare zones that don't do DNSSEC. So
validating resolvers querying the IETF website, www.ietf.org will not be able to authenticate the result. The AD bit won't be set because the answer section includes A/AAAA records without signatures.On Fri, Jun 27, 2014 at 10:51 AM, Christopher Morrow <morrowc.lists@xxxxxxxxx> wrote:
ietf.org. 1773 IN NS ns1.mia1.afilias-nst.info.
ietf.org. 1773 IN NS ns1.hkg1.afilias-nst.info.
ietf.org. 1773 IN NS ns1.yyz1.afilias-nst.info.
ietf.org. 1773 IN NS ns1.ams1.afilias-nst.info.
ietf.org. 1773 IN NS ns1.sea1.afilias-nst.info.
ietf.org. 1773 IN NS ns0.amsl.com.
maybe fixed now?
http://dnsviz.net/d/ietf.org/dnssec/
seems to also indicate fix action has taken place.
On Fri, Jun 27, 2014 at 6:56 AM, Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
> On Fri, Jun 27, 2014 at 12:50:28PM +0200,
> Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote
> a message of 69 lines which said:
>
>> [Sent by using a mail server with a non-validating resolver...]
>>
>> The delegation at .org still indicates the old name servers but the
>> zone contains the new ones, at Cloudflare.
>
> Ticket [www.ietf.org/rt #66469] by the way.
>