Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation failure of .nl TLD

Paul Wouters
Mon Oct 29 00:41:29 CET 2012

On Sun, 28 Oct 2012, Leen Besselink wrote:

> On Sun, Oct 28, 2012 at 10:29:18PM +0100, Stephane Bortzmeyer wrote:
>> On Sun, Oct 28, 2012 at 10:13:30PM +0100,
>>  Leen Besselink <leen at> wrote
>>  a message of 20 lines which said:
>>> Today for me the .nl top level domain stopped to be valid.
>> .nl added a new ZSK, 20331, around 2000 UTC. Could it be related?
> Maybe, the error was:
> verify rrset < DS IN>
> DS rrset in DS response did not verify
> validator operate: query < A IN>
> Could not establish a chain of trust to keys for < DNSKEY IN>
> But I'm starting to think I should have logged some for .nl itself to be really useful.

I've seen similar outages. I experienced one too yesterday where my own (but really almost all queries) failed to resolve. I ran a
verbosity 2 while the process was still running and it showed a massive
amount of ipv6 connection attempts (despite not having been on an ipv6
network in weeks)

A similar even seem to have happened on the Sunday of ICANN45 in Toronto,
where some important high up record stopped validating, causing everything
below it to fail.