-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 10/29/12 20:14, Casey Deccio wrote: > Looks like perhaps the new ZSK wasn't pre-published long enough. As promised a brief (informal) follow-up on what happened. Indeed the new ZSK wasn't pre-published long enough. After OpenDNSSEC generated it and just prior to publishing it in the DNS, the software encountered a problem. As a result of that, the zonefile was never published. In fact, we missed two zonefileupdates before we got all the right people mobilised and where ready to restart the process. When we published the new zonefile, OpenDNSSEC figured that the pre-publication time was long enough and started to include new RRSIg's, made by the new ZSK. This resulted in validation errors. So, the observation of Casey was just right. We will maintain to look into this issue further and we will implement protective measures to prevent this from happening again. Regards, - -- Marco -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCRC4wACgkQ0dvyGJ94G1I5NQCgt2/iV3JHjawST1GPwO6aTzpH zJYAoIbxYJFR/gWpD4Xt3F0X4DVNTsD8 =0Kn1 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
