Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation failure of .nl TLD

Casey Deccio
Mon Oct 29 20:14:21 CET 2012


On Mon, Oct 29, 2012 at 5:49 AM, Sander Smeenk <ssmeenk at freshdot.net> wrote:

> Quoting Leen Besselink (leen at consolejunkie.net):
>
> > > >>> verify rrset <sidn.nl. DS IN>
> > > >>> DS rrset in DS response did not verify
> > > >>> validator operate: query <www.sidn.nl. A IN>
> > > >>> Could not establish a chain of trust to keys for <sidn.nl. DNSKEY
> IN>
>
> > > Just to let you know we are aware of this and investigating in.
> > > Nothing to report further yet, though...
>
> > As I mentioned before this was with an old version of Unbound, the bug
> > is probably fixed already.  And if you want a log and a cache-dump
> > mail me directly, I'll send it to you.
>
> The issue with the .nl validation we've seen yesterday evening are not
> related to Unbound or Unbound versions. People using different resolver
> software also reported problems with the .nl zone.
>
> SIDN is looking in to it and will probably release some formal
> communication about it in due time. ;-)
>
>
FWIW, ISC DNSDB shows that the DNSKEY RRset *prior* to insertion of the new
ZSK was seen as late as 2012-10-28 19:40:50, but the RRSIG covering
sidn.nl/DS made by the new ZSK was seen as soon as 2012-10-28 19:55:50,
only 15 minutes later.  Looks like perhaps the new ZSK wasn't pre-published
long enough.  Since the TTL of the nl/DNSKEY RRset is two hours, it is very
possible that validators were attempting to validate RRSIGs made by the new
ZSK having only a version of the nl/DNSKEY RRset without the new ZSK in
cache.

;;  last seen: 2012-10-28 19:40:50 -0000
nl. IN DNSKEY 256 3 8
AwEAAcCIZ6GTKCwV5fpNXuvSr6eOPDo0NRrCFjjmerK1UphiWCpoV5oX
bCydxv3wyOPAhIRNSUOzT/o8WegaNy93jM+arLHi/4oYpasXDDcBSIjZ
j8LpYzAP7fbUrkw8kSjmr+IA/mawpuQ8m/XTtgn7AIzL1eN38/iMTp6K fPWa9dHZ
nl. IN DNSKEY 257 3 8
AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN
bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX
qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh
hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4
FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0
yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0=

;; first seen: 2012-10-28 19:55:50 -0000
;;  last seen: 2012-10-29 14:14:43 -0000
sidn.nl. IN RRSIG DS 8 2 7200 1352664247 1351444502 20331 nl.
aP/JmxOzE3nzDj7fgKq+T6/j9f2c4DKTyAF9wKckSukeDSfbXqO0Iias
ZIl6kAn/7m4aE4nIoOsZr45GsiTmY49rquR7LNlcuxCv37SqFvwCTKsM
8ARyHfOXG+oG+DdbO2uYpIYDlJBN2gpBkFkgcepUZ3aiuXnnXN8OuBbI rdY=

Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20121029/4c36fde9/attachment-0001.html>