Chris Thompson writes: > We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g. > mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and > 9.8.0-P1 configured with the root and dlv.isc.org trust anchors. > > However, I can't see what is actually wrong with it, using dig +cd as > necessary. All the signatures appear to have valid start/stop times, and > http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There > are a lot of false trails (e.g. the DS records for it in "de") but that > shouldn't stop BIND finding the one that works (DLV in dlv.isc.org -> > KSK with tag 10923 -> ZSK with tag 4814), should it? > > It may be significant that this problem was reported to us on the same > day that obscured DNSKEY records were introduced into the "de" zone...
Maybe this is a symptom of DUdeZ (deliberately unvalidatable DE zone)? http://www.heise.de/newsticker/meldung/DENIC-startet-unbemerkt-mit-der-Verteilung-der-signierten-de-Zone-1247415.html http://www.denic.de/domains/dnssec.html _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users