This should be fixed now, please let us know if this is not accurate. Pat On 06/10/2012 08:54 AM, Vladimir Mosgalin wrote: > Hi [log in to unmask] > > On 2012.06.07 at 18:01:30 +0000, [log in to unmask] wrote next: > >> My apologies, should have checked with another DNS resolver. >> >> I shall report this DNS fault to our site admin. >> >> Thanks for your speedy reply. > I'm pretty sure it was fault of either SL hosting provider or someone > else close to it in DNS chain, not your site admin. This time, it lasted > for a day or two, I think. > > Exactly same thing happened before, check out > http://listserv.fnal.gov/scripts/wa.exe?A2=ind1112&L=scientific-linux-users&T=0&P=2757 > > > Few days ago, scientificlinux.org wasn't resolving for me either. > My bind checked google DNS servers and all others and situation was the same everywhere: > > validating @0x7f93b01ee450: fnal.gov DNSKEY: no valid signature found (DS) > error (no valid RRSIG) resolving 'fnal.gov/DNSKEY/IN': 8.8.4.4#53 > validating @0x7f93bc8865f0: fnal.gov DNSKEY: no valid signature found (DS) > error (no valid RRSIG) resolving 'fnal.gov/DNSKEY/IN': 8.8.8.8#53 > validating @0x7f93b0c09f90: fnal.gov DNSKEY: no valid signature found (DS) > error (no valid RRSIG) resolving 'fnal.gov/DNSKEY/IN': 198.49.208.70#53 > validating @0x7f93b433e5f0: fnal.gov DNSKEY: no valid signature found (DS) > error (no valid RRSIG) resolving 'fnal.gov/DNSKEY/IN': 198.49.208.71#53 > validating @0x7f93ac1e1290: fnal.gov DNSKEY: no valid signature found (DS) > error (no valid RRSIG) resolving 'fnal.gov/DNSKEY/IN': 2001:400:6000::22#53 > validating @0x7f93bc8865f0: fnal.gov DNSKEY: no valid signature found (DS) > error (no valid RRSIG) resolving 'fnal.gov/DNSKEY/IN': 2001:400:910:1::2#53 > validating @0x7f93b433e5f0: fnal.gov DNSKEY: no valid signature found (DS) > error (no valid RRSIG) resolving 'fnal.gov/DNSKEY/IN': 198.128.2.10#53 > [..skipped..] > > error (broken trust chain) resolving 'linux21.fnal.gov/A/IN': 8.8.4.4#53 > validating @0x7f93ac1e1290: MLV3I3JULF9HLTIIPF6CQHA1Q51TOGTU.fnal.gov NSEC3: bad cache hit (fnal.gov/DNSKEY) > error (broken trust chain) resolving 'linux21.fnal.gov/AAAA/IN': 8.8.4.4#53 > validating @0x7f93b433e5f0: linux01.fnal.gov A: bad cache hit (fnal.gov/DNSKEY) > error (broken trust chain) resolving 'linux01.fnal.gov/A/IN': 8.8.4.4#53 > validating @0x7f93b01284d0: fnal.gov SOA: bad cache hit (fnal.gov/DNSKEY) > validating @0x7f93b01284d0: 6JGTJCC74FMN7VR86T153U5TDA4MBUDT.fnal.gov NSEC3: bad cache hit (fnal.gov/DNSKEY) > error (broken trust chain) resolving 'linux01.fnal.gov/AAAA/IN': 8.8.8.8#53 > validating @0x7f93b433e5f0: linux9.fnal.gov A: bad cache hit (fnal.gov/DNSKEY) > error (broken trust chain) resolving 'linux9.fnal.gov/A/IN': 8.8.8.8#53 > validating @0x7f93b01284d0: fnal.gov SOA: bad cache hit (fnal.gov/DNSKEY) > validating @0x7f93b01284d0: TSR1OLABBBB6N3BA20AH8OLM0CPQE8LP.fnal.gov NSEC3: bad cache hit (fnal.gov/DNSKEY) > [..and so on..] > > > I believe that the fact that it started to work when you changed DNS > resolver just means that they use outdated DNS server which doesn't care > about DNSSEC :) > > Not that I need DNSSEC to trust the way SL website resolves, however > it's somewhat sad that situations like this happen again. > > -- Pat Riehecky Scientific Linux Developer