Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation failure of .nl TLD

Miek Gieben
Mon Oct 29 20:34:11 CET 2012


[ Quoting <casey at deccio.net> in "Re: [Unbound-users] DNSSEC validati..." ]
> FWIW, ISC DNSDB shows that the DNSKEY RRset *prior* to insertion of the new ZSK
> was seen as late as 2012-10-28 19:40:50, but the RRSIG covering sidn.nl/DS made
> by the new ZSK was seen as soon as 2012-10-28 19:55:50, only 15 minutes later. 
> Looks like perhaps the new ZSK wasn't pre-published long enough.  Since the TTL
> of the nl/DNSKEY RRset is two hours, it is very possible that validators were
> attempting to validate RRSIGs made by the new ZSK having only a version of the
> nl/DNSKEY RRset without the new ZSK in cache.
> 
> ;;  last seen: 2012-10-28 19:40:50 -0000
> nl. IN DNSKEY 256 3 8 AwEAAcCIZ6GTKCwV5fpNXuvSr6eOPDo0NRrCFjjmerK1UphiWCpoV5oX
> bCydxv3wyOPAhIRNSUOzT/o8WegaNy93jM+arLHi/4oYpasXDDcBSIjZ
> j8LpYzAP7fbUrkw8kSjmr+IA/mawpuQ8m/XTtgn7AIzL1eN38/iMTp6K fPWa9dHZ
> nl. IN DNSKEY 257 3 8 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN
> bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX qyGe2Mm+ZNRsomBxhluR/
> ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh
> hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4
> FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0
> yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0=
> 
> ;; first seen: 2012-10-28 19:55:50 -0000
> ;;  last seen: 2012-10-29 14:14:43 -0000
> sidn.nl. IN RRSIG DS 8 2 7200 1352664247 1351444502 20331 nl. aP/
> JmxOzE3nzDj7fgKq+T6/j9f2c4DKTyAF9wKckSukeDSfbXqO0Iias ZIl6kAn/
> 7m4aE4nIoOsZr45GsiTmY49rquR7LNlcuxCv37SqFvwCTKsM
> 8ARyHfOXG+oG+DdbO2uYpIYDlJBN2gpBkFkgcepUZ3aiuXnnXN8OuBbI rdY=

That's cool info! Note that day light saving was activated (de-activated? I
never know) the evening before...

 Regards,

-- 
    Miek Gieben                                               http://miek.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20121029/72d4d0c3/attachment.pgp>