Do you publish DNSSEC signed zones @Linode's NS ? Can you share this external test data?
In troubleshooting/reporting, I need an additional piece of data – external to MY environment and Linode.
If you have an active/working DNSSEC-at-Linode setup that you can do a test on and share an anonymize result from, it'd be helpful and appreciated.
Specifically, for a use case as similar as possible to:
* your unsigned zone lists its NS as Linode's: ns(1-5).linode.com
* your unsigned zone is locally signed under your control -- the NS are signed for delegation as well, *not* "OptOut"-ed
* the signed result is AXFR'd to Linodes' axfr(1-5).linode.com
* after adequate propagation time, you can verify that your signed zone data -- particularly the SOA and the RRSIG SOA -- is consistent between your master, ns(1-5).linode.com, and the "out there" web (e.g., @Google NS)
now, for THAT^ consistently signed & propagated zone, I need to see the "DNSSEC SOA record date check" section test-result from DNSSTUFF's dns test @
http://www.dnsstuff.com/tools#dnsReport|type=domain&&value= <your_domain.tld></your_domain.tld>
My result, e.g., for a zone that lists ns(1-5).linode.com as it's NSs, the result looks like this:
DNSSEC SOA record date check
DNSSEC SOA date has expired. This is bad because any signed data is now considered Bogus (RFC4033 section 5) and cannot be validated (RFC4641 section 4.1.1).
ns1.linode.com. has an expiration date of 20170109221710 | year=2017 month=01 day=09
ns3.linode.com. has an expiration date of 20170109221710 | year=2017 month=01 day=09
ns4.linode.com. has an expiration date of 20170109221710 | year=2017 month=01 day=09
ns2.linode.com. has an expiration date of 20170109221710 | year=2017 month=01 day=09
ns5.linode.com. has an expiration date of 20170109221710 | year=2017 month=01 day=09
What's yours?