On Mon, Oct 29, 2012 at 5:49 AM, Sander Smeenk <[email protected]> wrote:
> Quoting Leen Besselink ([email protected]): > > > > >>> verify rrset <sidn.nl. DS IN> > > > >>> DS rrset in DS response did not verify > > > >>> validator operate: query <www.sidn.nl. A IN> > > > >>> Could not establish a chain of trust to keys for <sidn.nl. DNSKEY > IN> > > > > Just to let you know we are aware of this and investigating in. > > > Nothing to report further yet, though... > > > As I mentioned before this was with an old version of Unbound, the bug > > is probably fixed already. And if you want a log and a cache-dump > > mail me directly, I'll send it to you. > > The issue with the .nl validation we've seen yesterday evening are not > related to Unbound or Unbound versions. People using different resolver > software also reported problems with the .nl zone. > > SIDN is looking in to it and will probably release some formal > communication about it in due time. ;-) > > FWIW, ISC DNSDB shows that the DNSKEY RRset *prior* to insertion of the new ZSK was seen as late as 2012-10-28 19:40:50, but the RRSIG covering sidn.nl/DS made by the new ZSK was seen as soon as 2012-10-28 19:55:50, only 15 minutes later. Looks like perhaps the new ZSK wasn't pre-published long enough. Since the TTL of the nl/DNSKEY RRset is two hours, it is very possible that validators were attempting to validate RRSIGs made by the new ZSK having only a version of the nl/DNSKEY RRset without the new ZSK in cache. ;; last seen: 2012-10-28 19:40:50 -0000 nl. IN DNSKEY 256 3 8 AwEAAcCIZ6GTKCwV5fpNXuvSr6eOPDo0NRrCFjjmerK1UphiWCpoV5oX bCydxv3wyOPAhIRNSUOzT/o8WegaNy93jM+arLHi/4oYpasXDDcBSIjZ j8LpYzAP7fbUrkw8kSjmr+IA/mawpuQ8m/XTtgn7AIzL1eN38/iMTp6K fPWa9dHZ nl. IN DNSKEY 257 3 8 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0= ;; first seen: 2012-10-28 19:55:50 -0000 ;; last seen: 2012-10-29 14:14:43 -0000 sidn.nl. IN RRSIG DS 8 2 7200 1352664247 1351444502 20331 nl. aP/JmxOzE3nzDj7fgKq+T6/j9f2c4DKTyAF9wKckSukeDSfbXqO0Iias ZIl6kAn/7m4aE4nIoOsZr45GsiTmY49rquR7LNlcuxCv37SqFvwCTKsM 8ARyHfOXG+oG+DdbO2uYpIYDlJBN2gpBkFkgcepUZ3aiuXnnXN8OuBbI rdY= Regards, Casey
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
