[Opendnssec-develop] Fwd: Re: [Unbound-users] DNSSEC validation failure of .nl TLD
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Oct 31 12:29:05 UTC 2012
The statement of SIDN is in Dutch. Here is a public version:
http://www.miek.nl/blog/archives/2012/10/31/dnssec_storing_28_oktober_2012/index.html
Marco also sent an explanation to unbound-users, see below. It looks
like an operator error also occurred.
SUPPORT-41 is also created with respect to this incident.
Best regards,
Matthijs
-------- Original Message --------
Subject: Re: [Unbound-users] DNSSEC validation failure of .nl TLD
Date: Wed, 31 Oct 2012 12:29:20 +0100
From: Marco Davids (SIDN) <marco.davids at sidn.nl>
Organization: SIDN
To: <unbound-users at unbound.net>
Hi,
On 10/29/12 20:14, Casey Deccio wrote:
> Looks like perhaps the new ZSK wasn't pre-published long enough.
As promised a brief (informal) follow-up on what happened.
Indeed the new ZSK wasn't pre-published long enough. After OpenDNSSEC
generated it and just prior to publishing it in the DNS, the software
encountered a problem. As a result of that, the zonefile was never
published. In fact, we missed two zonefileupdates before we got all
the right people mobilised and where ready to restart the process.
When we published the new zonefile, OpenDNSSEC figured that the
pre-publication time was long enough and started to include new
RRSIg's, made by the new ZSK. This resulted in validation errors.
So, the observation of Casey was just right.
We will maintain to look into this issue further and we will implement
protective measures to prevent this from happening again.
Regards,
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20121031/cf22bdc6/attachment.bin>
More information about the Opendnssec-develop
mailing list