* https://dnssec-analyzer.verisignlabs.com/colmena.biz
* https://dnsviz.net/d/colmena.biz/dnssec/

They do appear to have lost a key somewhere at the Pentagon//military level of the DNSSEC hierarchy.

Hi. The .BIZ top-level domain was signed back in August 2010. Since that time you can have a .BIZ domain signed with DNSSEC.

This is obstructing business and commerce on the web.

A quick 15min bash script yielded a limitation of fork speeds, so we aren’t really putting much load on the servers.

The data below was captured some time ago, for the most recent results see: https://dnsviz.net/d/_25._tcp.barracuda.truman.edu/dnssec/

The nameserver for truman.edu returns a very slightly different (and thus invalid) signature for the same SOA record in negative replies than it does for a direct SOA query.

;truman.edu. IN SOA
truman.edu. SOA ns3.truman.edu. dns-alerts.truman.edu. 2065422032 3600 900 1209600 3600
truman.edu. RRSIG SOA 5 2 3600 20160906050001 20160807050001 17523 truman.edu. B6Qfu3gkP6P8hzMOrCiCTorxzdBdNny7q5cKAZp9U1HeVEazjfA30v26lyTvqs4TwiJ/jCuwUP62uSCJOGegz84dGWrvYImMoDLrP/jE4EjeWs8ppf1C0ouOw+XAH3fdXDdc34TuQH0gNpNRnI63bFf8Huegq/12gKH+gF+1Mog=

;_25._tcp.barracuda.truman.edu. IN TLSA
truman.edu. SOA ns3.truman.edu. dns-alerts.truman.edu. 2065422032 3600 900 1209600 3600
truman.edu. RRSIG SOA 5 2 3600 20160906050001 20160807050001 17523 truman.edu. B6Qfu3gkP6P8hzMOrCiCTorxzdBdNny7q5cKAZp9U1HeVEazjfA30v26lyTvqs4TwiJ/jCuwUP62uSCJOGegz84dGWrvYImMoDLrP/jE4EjeWs8ppf1C0ouOw+XAH3fdXDdc34TuQH0gNpNRnI63bFf8Huegq/12gKH+gAAAAlg=

These signatures differ only in the final 8 base64 encoded characters:

gF+1Mog=
gAAAAlg=

which decode to:

80 5f b5 32 88
80 00 00 02 58

thus the mysterious damage is in the final 32 bits of the signature.