At 16:05:08, a toy BIND 9.10.3-P4 recursive nameserver began answering all queries with SERVFAIL, logging:
-=- Mar 25 16:05:08 serni named[1525]: validating dlv.isc.org/NSEC: verify failed due to bad signature (keyid=64263): RRSIG has expired Mar 25 16:05:08 serni named[1525]: validating dlv.isc.org/NSEC: no valid signature found Mar 25 16:05:08 serni named[1525]: validating dlv.isc.org/NSEC: verify failed due to bad signature (keyid=64263): RRSIG has expired Mar 25 16:05:08 serni named[1525]: validating dlv.isc.org/NSEC: no valid signature found -=- dnssec-lookaside had been set to 'auto'. changing dnssec-lookaside to 'no' restored service (and has no impact on security because the DLV has been an empty zone for years!). It looks like signatures in dlv.isc.org have stopped being refreshed - Here's the bottom of a 'dig +trace ns dlv.isc.org': -=- isc.org. 86400 IN NS sfba.sns-pb.isc.org. isc.org. 86400 IN NS ns.isc.afilias-nst.info. isc.org. 86400 IN NS ord.sns-pb.isc.org. isc.org. 86400 IN NS ams.sns-pb.isc.org. isc.org. 86400 IN DS 7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2 isc.org. 86400 IN RRSIG DS 7 2 86400 20200415152856 20200325142856 33209 org. YTPrAcPA4m3BUQnxMaAQizsosbldafWIcNfedHclACGsEgyQwQWlO57Y ApSDd/sKEI2+PAntcXf4eeuGqA+pz1AnH4IpoqWfFOeZcI4qKKz1yfX/ +VXQ6gKoJklqwLomXsi8IpwKFM9IzP3iWHIufG7luy8ZccgwIwX/07Z6 /Ro= ;; Received 482 bytes from 2001:500:e::1#53(a0.org.afilias-nst.info) in 100 ms dlv.isc.org. 300 IN NS ns1.isc.ultradns.net. dlv.isc.org. 300 IN NS dlv.sfba.sns-pb.isc.org. dlv.isc.org. 300 IN NS ns.isc.afilias-nst.info. dlv.isc.org. 300 IN NS dlv.ord.sns-pb.isc.org. dlv.isc.org. 300 IN NS ns2.isc.ultradns.net. dlv.isc.org. 300 IN NS dlv.ams.sns-pb.isc.org. dlv.isc.org. 300 IN RRSIG NS 5 3 300 20200325160456 20200224153150 64263 dlv.isc.org. H1H0F1xGgvH/nqFu3pI66eTn7PkAInRKb8CgKn0fEHzHJYecRqqQ9G2s v0gC6nYjPq+SP8LEzCQdZTelt2unG7xnVIQJBuCwpu2tV0OJdko2/Eqq dwi+Wn/kWNIZa48Scr5rHLYJ16ABrqLTMxeXBwVs7U3k/0T0auzQm71C h7k= ;; Received 1124 bytes from 199.254.63.254#53(ns.isc.afilias-nst.info) in 144 ms -=- Note the signature expiration of '20200325160456'. Is this related to the shutdown of sns-pb? Graham _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users