Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation failure of .nl TLD

Marco Davids (SIDN)
Wed Oct 31 12:29:20 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 10/29/12 20:14, Casey Deccio wrote:

> Looks like perhaps the new ZSK wasn't pre-published long enough.

As promised a brief (informal) follow-up on what happened.

Indeed the new ZSK wasn't pre-published long enough. After OpenDNSSEC
generated it and just prior to publishing it in the DNS, the software
encountered a problem. As a result of that, the zonefile was never
published. In fact, we missed two zonefileupdates before we got all
the right people mobilised and where ready to restart the process.

When we published the new zonefile, OpenDNSSEC figured that the
pre-publication time was long enough and started to include new
RRSIg's, made by the new ZSK. This resulted in validation errors.

So, the observation of Casey was just right.

We will maintain to look into this issue further and we will implement
protective measures to prevent this from happening again.

Regards,

- --
Marco





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCRC4wACgkQ0dvyGJ94G1I5NQCgt2/iV3JHjawST1GPwO6aTzpH
zJYAoIbxYJFR/gWpD4Xt3F0X4DVNTsD8
=0Kn1
-----END PGP SIGNATURE-----