[Opendnssec-develop] Fwd: Re: [Unbound-users] DNSSEC validation failure of .nl TLD

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Oct 31 12:29:05 UTC 2012

The statement of SIDN is in Dutch. Here is a public version:


Marco also sent an explanation to unbound-users, see below. It looks
like an operator error also occurred.

SUPPORT-41 is also created with respect to this incident.

Best regards,

-------- Original Message --------
Subject: Re: [Unbound-users] DNSSEC validation failure of .nl TLD
Date: Wed, 31 Oct 2012 12:29:20 +0100
From: Marco Davids (SIDN) <marco.davids at sidn.nl>
Organization: SIDN
To: <unbound-users at unbound.net>


On 10/29/12 20:14, Casey Deccio wrote:

> Looks like perhaps the new ZSK wasn't pre-published long enough.

As promised a brief (informal) follow-up on what happened.

Indeed the new ZSK wasn't pre-published long enough. After OpenDNSSEC
generated it and just prior to publishing it in the DNS, the software
encountered a problem. As a result of that, the zonefile was never
published. In fact, we missed two zonefileupdates before we got all
the right people mobilised and where ready to restart the process.

When we published the new zonefile, OpenDNSSEC figured that the
pre-publication time was long enough and started to include new
RRSIg's, made by the new ZSK. This resulted in validation errors.

So, the observation of Casey was just right.

We will maintain to look into this issue further and we will implement
protective measures to prevent this from happening again.


Unbound-users mailing list
Unbound-users at unbound.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20121031/cf22bdc6/attachment.bin>

More information about the Opendnssec-develop mailing list