dlv.isc.org DNSSEC expired - potential impact to resolvers?

Wed Mar 25 16:26:47 UTC 2020

At 16:05:08, a toy BIND 9.10.3-P4 recursive nameserver began answering all queries with SERVFAIL, logging:

-=-
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: verify failed due to bad signature (keyid=64263): RRSIG has expired
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: no valid signature found
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: verify failed due to bad signature (keyid=64263): RRSIG has expired
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: no valid signature found
-=-

dnssec-lookaside had been set to 'auto'.

changing dnssec-lookaside to 'no' restored service (and has no impact on security because the DLV has been an empty zone for years!).

It looks like signatures in dlv.isc.org have stopped being refreshed - 

Here's the bottom of a 'dig +trace ns dlv.isc.org':

-=-

isc.org.		86400	IN	NS	sfba.sns-pb.isc.org.
isc.org.		86400	IN	NS	ns.isc.afilias-nst.info.
isc.org.		86400	IN	NS	ord.sns-pb.isc.org.
isc.org.		86400	IN	NS	ams.sns-pb.isc.org.
isc.org.		86400	IN	DS	7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
isc.org.		86400	IN	RRSIG	DS 7 2 86400 20200415152856 20200325142856 33209 org. YTPrAcPA4m3BUQnxMaAQizsosbldafWIcNfedHclACGsEgyQwQWlO57Y ApSDd/sKEI2+PAntcXf4eeuGqA+pz1AnH4IpoqWfFOeZcI4qKKz1yfX/ +VXQ6gKoJklqwLomXsi8IpwKFM9IzP3iWHIufG7luy8ZccgwIwX/07Z6 /Ro=
;; Received 482 bytes from 2001:500:e::1#53(a0.org.afilias-nst.info) in 100 ms

dlv.isc.org.		300	IN	NS	ns1.isc.ultradns.net.
dlv.isc.org.		300	IN	NS	dlv.sfba.sns-pb.isc.org.
dlv.isc.org.		300	IN	NS	ns.isc.afilias-nst.info.
dlv.isc.org.		300	IN	NS	dlv.ord.sns-pb.isc.org.
dlv.isc.org.		300	IN	NS	ns2.isc.ultradns.net.
dlv.isc.org.		300	IN	NS	dlv.ams.sns-pb.isc.org.
dlv.isc.org.		300	IN	RRSIG	NS 5 3 300 20200325160456 20200224153150 64263 dlv.isc.org. H1H0F1xGgvH/nqFu3pI66eTn7PkAInRKb8CgKn0fEHzHJYecRqqQ9G2s v0gC6nYjPq+SP8LEzCQdZTelt2unG7xnVIQJBuCwpu2tV0OJdko2/Eqq dwi+Wn/kWNIZa48Scr5rHLYJ16ABrqLTMxeXBwVs7U3k/0T0auzQm71C h7k=
;; Received 1124 bytes from 199.254.63.254#53(ns.isc.afilias-nst.info) in 144 ms
-=-

Note the signature expiration of '20200325160456'.

Is this related to the shutdown of sns-pb?

Graham