Solved Bogus DNSSEC record - website down

P

patrickkasie

Verified User
Joined
Sep 21, 2021
Messages
244
Location
Een echte Hollander
We host a website called domain.nl and our NS will not resolve it any longer.
Code: 
# dig DNSKEY domain.nl

; <<>> DiG 9.11.36-RedHat-9.11.36-11.el8_9 <<>> DNSKEY domain.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65096
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;domain.nl.                  IN      DNSKEY

;; Query time: 13 msec
;; SERVER: 195.8.195.8#53(195.8.195.8)
;; WHEN: Tue Nov 28 18:36:05 CET 2023
;; MSG SIZE  rcvd: 41
I have removed the DNSKEY using the pdnsutil remove-zone-key domain.nl keyid command, it looks like it has been succesfully deleted when I look in the database, but even after 20 minutes, 2 reboots of the NS later and no progress, I still cannot get domain.nl to resolve.
 
Last edited:
This seems to have worked, but it took over 1.5 hours before it all started working properly, and some of the applications I was using stopped working by themselves by sheer coincidence that had nothing to do at all with the website/NS
 
Phuuuu... that's long. Normally only like nameservers and ns ip's change take that long at least, but just dns key's normally don't take that long.
I've had them and adding and removing was within half an hour.

Anyway, glad it's fixed.
 
It's probably because of the weird behavior of our NS that it showed 5 different results, which then took 1 hour for themselves to realise Hey something's up, but the zoneupdate didn't happen for another half an hour afterwards
 
You must log in or register to reply here.
Back
Top