Maintained by: NLnet Labs

[Unbound-users] Help troubleshooting validation failures on ca.gov domains.

Augie Schwer
Thu Mar 22 23:10:41 CET 2012


On Wed, Mar 21, 2012 at 7:53 PM, Olafur Gudmundsson <ogud at ogud.com> wrote:
> The first thing that jumps out is the domain is using 2 different DNSKEY
> algorithms this increases possiblity of mistakes.
> ALG 7 is in the record in parent with corresponding DNSKEY record signing
> the DNSKEY, but the key for algorithm 7 that signs the www.ca.gov A RRset is
> not in the DNSKEY RRset.

Indeed, what I didn't realize was that the site
http://dnsviz.net/d/www.ca.gov/dnssec/ was working on old data, when I
re-ran the report it reported like you said that they had signed their
RRset with a new un-published key.

It appears they have fixed their zone now, thanks for your help in
making sense of what happened.


-- 
Augie Schwer    -    Augie at Schwer.us    -    http://schwer.us