Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation failure of .nl TLD

Paul Wouters
Mon Oct 29 00:41:29 CET 2012


On Sun, 28 Oct 2012, Leen Besselink wrote:

> On Sun, Oct 28, 2012 at 10:29:18PM +0100, Stephane Bortzmeyer wrote:
>> On Sun, Oct 28, 2012 at 10:13:30PM +0100,
>>  Leen Besselink <leen at consolejunkie.net> wrote
>>  a message of 20 lines which said:
>>
>>> Today for me the .nl top level domain stopped to be valid.
>>
>> .nl added a new ZSK, 20331, around 2000 UTC. Could it be related?
>>
>
> Maybe, the error was:
>
> verify rrset <sidn.nl. DS IN>
> DS rrset in DS response did not verify
> validator operate: query <www.sidn.nl. A IN>
> Could not establish a chain of trust to keys for <sidn.nl. DNSKEY IN>
>
> But I'm starting to think I should have logged some for .nl itself to be really useful.

I've seen similar outages. I experienced one too yesterday where my own
nohats.ca (but really almost all queries) failed to resolve. I ran a
verbosity 2 while the process was still running and it showed a massive
amount of ipv6 connection attempts (despite not having been on an ipv6
network in weeks)

A similar even seem to have happened on the Sunday of ICANN45 in Toronto,
where some important high up record stopped validating, causing everything
below it to fail.

Paul