Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation failure of .nl TLD

Leen Besselink
Mon Oct 29 00:57:59 CET 2012


On Sun, Oct 28, 2012 at 07:41:29PM -0400, Paul Wouters wrote:
> On Sun, 28 Oct 2012, Leen Besselink wrote:
> 
> >On Sun, Oct 28, 2012 at 10:29:18PM +0100, Stephane Bortzmeyer wrote:
> >>On Sun, Oct 28, 2012 at 10:13:30PM +0100,
> >> Leen Besselink <leen at consolejunkie.net> wrote
> >> a message of 20 lines which said:
> >>
> >>>Today for me the .nl top level domain stopped to be valid.
> >>
> >>.nl added a new ZSK, 20331, around 2000 UTC. Could it be related?
> >>
> >
> >Maybe, the error was:
> >
> >verify rrset <sidn.nl. DS IN>
> >DS rrset in DS response did not verify
> >validator operate: query <www.sidn.nl. A IN>
> >Could not establish a chain of trust to keys for <sidn.nl. DNSKEY IN>
> >
> >But I'm starting to think I should have logged some for .nl itself to be really useful.
> 
> I've seen similar outages. I experienced one too yesterday where my own
> nohats.ca (but really almost all queries) failed to resolve. I ran a
> verbosity 2 while the process was still running and it showed a massive
> amount of ipv6 connection attempts (despite not having been on an ipv6
> network in weeks)
> 
> A similar even seem to have happened on the Sunday of ICANN45 in Toronto,
> where some important high up record stopped validating, causing everything
> below it to fail.
> 

I assume this is with a very recent version of ldns/Unbound ?

Don't think I had any IPv6 issues, it seems to still want to query over IPv6 too if I've
read the logs correctly.

> Paul