On Sat, 10 Nov 2018 at 00:57, Marco Davids (Private) <mdavids=40forfun.net@xxxxxxxxxxxxxx> wrote:
On 10/11/2018 07:11, Dick Franks wrote:
> Just tried www.irtf.org and it appears to work for
> me (UK, BT network)
Than perhaps you should ask BT to turn on DNSSEC-validation? ;-)
I don't depend on BT for DNSSEC :-)
The odds are longer than 5-1 against a successful validation, so you have to ask yourself, "Do I feel lucky?"
Examining RRSIGs served by ns0.amsl.com (zone primary)
www.irtf.org A RRset verified (keytag 46380)
www.irtf.org AAAA RRset verified (keytag 46380)
irtf.org DNSKEY RRset verified (keytag 46380)
irtf.org DNSKEY RRset verified (keytag 65218)
www.irtf.org AAAA RRset verified (keytag 46380)
irtf.org DNSKEY RRset verified (keytag 46380)
irtf.org DNSKEY RRset verified (keytag 65218)
Zone secondary nameservers have not been updated since new RRSIGs were created over 40 hours ago.
www.irtf.org A key 1: Signature expired at 20181109213333 (keytag 46380)
www.irtf.org AAAA key 1: Signature expired at 20181109213526 (keytag 46380)
www.irtf.org AAAA key 1: Signature expired at 20181109213526 (keytag 46380)
This reveals the questionable robustness of the operation and maintenance functions, and the absence of any service level monitoring at all.
--Dick
