[Unbound-users] DNSSEC validation failure of .nl TLD

Paul Wouters paul at nohats.ca
Mon Oct 29 00:41:29 CET 2012


On Sun, 28 Oct 2012, Leen Besselink wrote:

> On Sun, Oct 28, 2012 at 10:29:18PM +0100, Stephane Bortzmeyer wrote:
>> On Sun, Oct 28, 2012 at 10:13:30PM +0100,
>>  Leen Besselink <leen at consolejunkie.net> wrote
>>  a message of 20 lines which said:
>>
>>> Today for me the .nl top level domain stopped to be valid.
>>
>> .nl added a new ZSK, 20331, around 2000 UTC. Could it be related?
>>
>
> Maybe, the error was:
>
> verify rrset <sidn.nl. DS IN>
> DS rrset in DS response did not verify
> validator operate: query <www.sidn.nl. A IN>
> Could not establish a chain of trust to keys for <sidn.nl. DNSKEY IN>
>
> But I'm starting to think I should have logged some for .nl itself to be really useful.

I've seen similar outages. I experienced one too yesterday where my own
nohats.ca (but really almost all queries) failed to resolve. I ran a
verbosity 2 while the process was still running and it showed a massive
amount of ipv6 connection attempts (despite not having been on an ipv6
network in weeks)

A similar even seem to have happened on the Sunday of ICANN45 in Toronto,
where some important high up record stopped validating, causing everything
below it to fail.

Paul



More information about the Unbound-users mailing list