[Unbound-users] DNSSEC validation failure of .nl TLD
casey at deccio.net
Mon Oct 29 20:14:21 CET 2012
On Mon, Oct 29, 2012 at 5:49 AM, Sander Smeenk <ssmeenk at freshdot.net> wrote:
> Quoting Leen Besselink (leen at consolejunkie.net):
> > > >>> verify rrset <sidn.nl. DS IN>
> > > >>> DS rrset in DS response did not verify
> > > >>> validator operate: query <www.sidn.nl. A IN>
> > > >>> Could not establish a chain of trust to keys for <sidn.nl. DNSKEY
> > > Just to let you know we are aware of this and investigating in.
> > > Nothing to report further yet, though...
> > As I mentioned before this was with an old version of Unbound, the bug
> > is probably fixed already. And if you want a log and a cache-dump
> > mail me directly, I'll send it to you.
> The issue with the .nl validation we've seen yesterday evening are not
> related to Unbound or Unbound versions. People using different resolver
> software also reported problems with the .nl zone.
> SIDN is looking in to it and will probably release some formal
> communication about it in due time. ;-)
FWIW, ISC DNSDB shows that the DNSKEY RRset *prior* to insertion of the new
ZSK was seen as late as 2012-10-28 19:40:50, but the RRSIG covering
sidn.nl/DS made by the new ZSK was seen as soon as 2012-10-28 19:55:50,
only 15 minutes later. Looks like perhaps the new ZSK wasn't pre-published
long enough. Since the TTL of the nl/DNSKEY RRset is two hours, it is very
possible that validators were attempting to validate RRSIGs made by the new
ZSK having only a version of the nl/DNSKEY RRset without the new ZSK in
;; last seen: 2012-10-28 19:40:50 -0000
nl. IN DNSKEY 256 3 8
nl. IN DNSKEY 257 3 8
;; first seen: 2012-10-28 19:55:50 -0000
;; last seen: 2012-10-29 14:14:43 -0000
sidn.nl. IN RRSIG DS 8 2 7200 1352664247 1351444502 20331 nl.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users