[ Quoting <[email protected]> in "Re: [Unbound-users] DNSSEC validati..." ] > FWIW, ISC DNSDB shows that the DNSKEY RRset *prior* to insertion of the new > ZSK > was seen as late as 2012-10-28 19:40:50, but the RRSIG covering sidn.nl/DS > made > by the new ZSK was seen as soon as 2012-10-28 19:55:50, only 15 minutes > later. > Looks like perhaps the new ZSK wasn't pre-published long enough. Since the > TTL > of the nl/DNSKEY RRset is two hours, it is very possible that validators were > attempting to validate RRSIGs made by the new ZSK having only a version of the > nl/DNSKEY RRset without the new ZSK in cache. > > ;; last seen: 2012-10-28 19:40:50 -0000 > nl. IN DNSKEY 256 3 8 AwEAAcCIZ6GTKCwV5fpNXuvSr6eOPDo0NRrCFjjmerK1UphiWCpoV5oX > bCydxv3wyOPAhIRNSUOzT/o8WegaNy93jM+arLHi/4oYpasXDDcBSIjZ > j8LpYzAP7fbUrkw8kSjmr+IA/mawpuQ8m/XTtgn7AIzL1eN38/iMTp6K fPWa9dHZ > nl. IN DNSKEY 257 3 8 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN > bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX qyGe2Mm+ZNRsomBxhluR/ > ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh > hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 > FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 > yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0= > > ;; first seen: 2012-10-28 19:55:50 -0000 > ;; last seen: 2012-10-29 14:14:43 -0000 > sidn.nl. IN RRSIG DS 8 2 7200 1352664247 1351444502 20331 nl. aP/ > JmxOzE3nzDj7fgKq+T6/j9f2c4DKTyAF9wKckSukeDSfbXqO0Iias ZIl6kAn/ > 7m4aE4nIoOsZr45GsiTmY49rquR7LNlcuxCv37SqFvwCTKsM > 8ARyHfOXG+oG+DdbO2uYpIYDlJBN2gpBkFkgcepUZ3aiuXnnXN8OuBbI rdY=
That's cool info! Note that day light saving was activated (de-activated? I
never know) the evening before...
Regards,
--
Miek Gieben http://miek.nl
signature.asc
Description: Digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
