Tracking down validation failures
Chris Thompson
cet1 at cam.ac.uk
Sat Jun 13 19:01:20 UTC 2009
On Jun 12 20009, I wrote:
[...]
>The debug level 2 messages, which correspond to SERVFAILs, are all
>associated with "8.84.in-addr.arpa", and it does seem that something
>is wrong with the (signed) delegation of that from "84.in-addr.arpa".
>I can reproduce the SERVFAIL effect on other validating nameservers.
Just to expand on that a bit: the DS record in the parent zone correctly
describes the KSK in the child zone, and the RRSIGs in 8.84.in-addr.arpa
appear to be correct ... except that they all expired over 15 months ago!
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list