Hi Stephane, Can you give me more details? Once DLV got the DNSKEY is remains valid for the TTL ; which for ripe is 1 hour. Can you give the output of the query +cdflag (what was the data that failed?) for me dig +sigchase for that name works fine. Also unbound-host when given the ripe.net key. Best regards, Wouter On 08/27/2009 09:49 AM, Stephane Bortzmeyer wrote: > On Tue, Jun 30, 2009 at 02:24:12PM +0200, > W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote > a message of 71 lines which said: > >> I think the problem is the recent NSEC+RRSIG parse bug I fixed. In the >> ANY queries that is present and can lead to the problem, the bug is >> triggered based on ordering in the packet, and this causes the >> randomness for you. >> >> So, it is fixed in subversion trunk and perhaps I should consider making >> a bugfix release :-) > > I have a similar (?) problem with the 1.3.2 release. > > % dig +dnssec AAAA ns-cm.ripe.net > ... > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19685 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5 > ... > ns-cm.ripe.net. 172417 IN AAAA 2001:610:240:0:53:cc:12:38 > ... > > (Same thing for A queries.) > > % dig +dnssec ANY ns-cm.ripe.net > ... > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20929 > ... > > Other names, like ns-co.ripe.net, work fine.