On Mon, Oct 29, 2012 at 5:49 AM, Sander Smeenk <span dir="ltr"><<a href="mailto:ssmeenk@freshdot.net" target="_blank">ssmeenk@freshdot.net</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Quoting Leen Besselink (<a href="mailto:leen@consolejunkie.net" target="_blank">leen@consolejunkie.net</a>):<br>
<br>
> > >>> verify rrset <<a href="http://sidn.nl" target="_blank">sidn.nl</a>. DS IN><br>
> > >>> DS rrset in DS response did not verify<br>
> > >>> validator operate: query <<a href="http://www.sidn.nl" target="_blank">www.sidn.nl</a>. A IN><br>
> > >>> Could not establish a chain of trust to keys for <<a href="http://sidn.nl" target="_blank">sidn.nl</a>. DNSKEY IN><br>
<br>
> > Just to let you know we are aware of this and investigating in.<br>
> > Nothing to report further yet, though...<br>
<br>
</div><div>> As I mentioned before this was with an old version of Unbound, the bug<br>
> is probably fixed already. And if you want a log and a cache-dump<br>
> mail me directly, I'll send it to you.<br>
<br>
</div>The issue with the .nl validation we've seen yesterday evening are not<br>
related to Unbound or Unbound versions. People using different resolver<br>
software also reported problems with the .nl zone.<br>
<br>
SIDN is looking in to it and will probably release some formal<br>
communication about it in due time. ;-)<br>
<br></blockquote><div><br></div><div>FWIW, ISC DNSDB shows that the DNSKEY RRset *prior* to insertion of the new ZSK was seen as late as 2012-10-28 19:40:50, but the RRSIG covering <a href="http://sidn.nl/DS">sidn.nl/DS</a> made by the new ZSK was seen as soon as 2012-10-28 19:55:50, only 15 minutes later. Looks like perhaps the new ZSK wasn't pre-published long enough. Since the TTL of the nl/DNSKEY RRset is two hours, it is very possible that validators were attempting to validate RRSIGs made by the new ZSK having only a version of the nl/DNSKEY RRset without the new ZSK in cache.<br>
<br>;; last seen: 2012-10-28 19:40:50 -0000</div><div><div>nl. IN DNSKEY 256 3 8 AwEAAcCIZ6GTKCwV5fpNXuvSr6eOPDo0NRrCFjjmerK1UphiWCpoV5oX bCydxv3wyOPAhIRNSUOzT/o8WegaNy93jM+arLHi/4oYpasXDDcBSIjZ j8LpYzAP7fbUrkw8kSjmr+IA/mawpuQ8m/XTtgn7AIzL1eN38/iMTp6K fPWa9dHZ</div>
<div>nl. IN DNSKEY 257 3 8 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0=</div>
<div><br></div><div>;; first seen: 2012-10-28 19:55:50 -0000</div></div><div><div>;; last seen: 2012-10-29 14:14:43 -0000</div><div><a href="http://sidn.nl" target="_blank">sidn.nl</a>. IN RRSIG DS 8 2 7200 1352664247 1351444502 20331 nl. aP/JmxOzE3nzDj7fgKq+T6/j9f2c4DKTyAF9wKckSukeDSfbXqO0Iias ZIl6kAn/7m4aE4nIoOsZr45GsiTmY49rquR7LNlcuxCv37SqFvwCTKsM 8ARyHfOXG+oG+DdbO2uYpIYDlJBN2gpBkFkgcepUZ3aiuXnnXN8OuBbI rdY=</div>
</div><div><br>Regards,<br></div><div>Casey</div></div>