Why DNSSEC errors for bund.de?
Lars Hecking
lhecking at users.sourceforge.net
Tue May 24 14:31:16 UTC 2011
Chris Thompson writes:
> We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g.
> mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and
> 9.8.0-P1 configured with the root and dlv.isc.org trust anchors.
>
> However, I can't see what is actually wrong with it, using dig +cd as
> necessary. All the signatures appear to have valid start/stop times, and
> http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There
> are a lot of false trails (e.g. the DS records for it in "de") but that
> shouldn't stop BIND finding the one that works (DLV in dlv.isc.org ->
> KSK with tag 10923 -> ZSK with tag 4814), should it?
>
> It may be significant that this problem was reported to us on the same
> day that obscured DNSKEY records were introduced into the "de" zone...
Maybe this is a symptom of DUdeZ (deliberately unvalidatable DE zone)?
http://www.heise.de/newsticker/meldung/DENIC-startet-unbemerkt-mit-der-Verteilung-der-signierten-de-Zone-1247415.html
http://www.denic.de/domains/dnssec.html
More information about the bind-users
mailing list