Dear Mr. Dukhovni: I'll open a trouble ticket with Afilias; however, for the moment, I have re-signed all the files locally, and done a serial number increment, and pushed them to Afilias. I will watch to see if that clears it. Also, please let me remind everyone on the list that the reporting address for things of this type is ietf-action@xxxxxxxx. Thanks, Glen Glen Barney IT Director AMS (IETF Secretariat) On Sat, Nov 7, 2015 at 12:54 PM, Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote: > It looks like master -> slave DNS updates are failing, only the master > nameserver has unexpired signatures: > > http://dnsviz.net/d/irtf.org/dnssec/ > > However, all the nameservers report the same SOA serial as the master: > > $ dig -t ns +noall +ans +nocl +nottl irtf.org @ns0.amsl.com. > irtf.org. NS ns0.amsl.com. > irtf.org. NS ns1.ams1.afilias-nst.info. > irtf.org. NS ns1.hkg1.afilias-nst.info. > irtf.org. NS ns1.mia1.afilias-nst.info. > irtf.org. NS ns1.sea1.afilias-nst.info. > irtf.org. NS ns1.yyz1.afilias-nst.info. > > $ dig -t soa +noall +ans +nocl +nottl irtf.org @ns0.amsl.com. > irtf.org. SOA ns0.amsl.com. glen.amsl.com. 1200000226 1800 1800 604800 1800 > > $ while read ns; do dig -t soa +noall +ans +nocl +nottl irtf.org @$ns; done <<-EOF > ns1.ams1.afilias-nst.info. > ns1.hkg1.afilias-nst.info. > ns1.mia1.afilias-nst.info. > ns1.sea1.afilias-nst.info. > ns1.yyz1.afilias-nst.info. > EOF > irtf.org. SOA ns0.amsl.com. glen.amsl.com. 1200000226 1800 1800 604800 1800 > irtf.org. SOA ns0.amsl.com. glen.amsl.com. 1200000226 1800 1800 604800 1800 > irtf.org. SOA ns0.amsl.com. glen.amsl.com. 1200000226 1800 1800 604800 1800 > irtf.org. SOA ns0.amsl.com. glen.amsl.com. 1200000226 1800 1800 604800 1800 > irtf.org. SOA ns0.amsl.com. glen.amsl.com. 1200000226 1800 1800 604800 1800 > > So perhaps the master zone resigning is no longer updating the SOA > record. In any case, DNS resolution for irtf.org is mostly down. > > -- > Viktor. >