Re: [tlug] sudden dnssec errors for .jp domains

["Nikolay Elenkov" <nick@example.com>]

nigel barker writes:
> Hi All,
>
> My school is suddenly getting dns errors with japanese websites this
> evening. We can't even access such staples as yahoo.co.jp  Everywhere
> else in the world seems to be fine.  I'm seeing errors like this
>
...
>
>  I have to admit I know little about dnssec. (or dns at all if I'm
> honest). How would I go about fixing this? There have been no changes
> to bind, or any other part of the server today. Has something changed
> at NTT, that you know of?
>

We saw something similar a while ago. Zone/key signing keys expire, and if
they are not renewed in time you will get errors. It could be a problem
with your trusted keys settings (trusted-keys and/or managed-keys). If you
have managed-keys KSKs should be updated automatically, but check logs for
errors. Or maybe somebody managing .jp forgot to renew keys in time.

> dnssec-validation is set to auto in named.conf.options
>
>

Easiest is to switch off validation (set to no). DNSSEC is a bit of a hot
mess anyway.