dlv.isc.org DNSSEC expired - potential impact to resolvers?

Wed, 25 Mar 2020 09:28:19 -0700 

At 16:05:08, a toy BIND 9.10.3-P4 recursive nameserver began answering all 
queries with SERVFAIL, logging:

-=-
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: verify failed 
due to bad signature (keyid=64263): RRSIG has expired
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: no valid 
signature found
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: verify failed 
due to bad signature (keyid=64263): RRSIG has expired
Mar 25 16:05:08 serni named[1525]:   validating dlv.isc.org/NSEC: no valid 
signature found
-=-


dnssec-lookaside had been set to 'auto'.

changing dnssec-lookaside to 'no' restored service (and has no impact on 
security because the DLV has been an empty zone for years!).



It looks like signatures in dlv.isc.org have stopped being refreshed - 

Here's the bottom of a 'dig +trace ns dlv.isc.org':

-=-

isc.org.                86400   IN      NS      sfba.sns-pb.isc.org.
isc.org.                86400   IN      NS      ns.isc.afilias-nst.info.
isc.org.                86400   IN      NS      ord.sns-pb.isc.org.
isc.org.                86400   IN      NS      ams.sns-pb.isc.org.
isc.org.                86400   IN      DS      7250 13 2 
A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
isc.org.                86400   IN      RRSIG   DS 7 2 86400 20200415152856 
20200325142856 33209 org. 
YTPrAcPA4m3BUQnxMaAQizsosbldafWIcNfedHclACGsEgyQwQWlO57Y 
ApSDd/sKEI2+PAntcXf4eeuGqA+pz1AnH4IpoqWfFOeZcI4qKKz1yfX/ 
+VXQ6gKoJklqwLomXsi8IpwKFM9IzP3iWHIufG7luy8ZccgwIwX/07Z6 /Ro=
;; Received 482 bytes from 2001:500:e::1#53(a0.org.afilias-nst.info) in 100 ms

dlv.isc.org.            300     IN      NS      ns1.isc.ultradns.net.
dlv.isc.org.            300     IN      NS      dlv.sfba.sns-pb.isc.org.
dlv.isc.org.            300     IN      NS      ns.isc.afilias-nst.info.
dlv.isc.org.            300     IN      NS      dlv.ord.sns-pb.isc.org.
dlv.isc.org.            300     IN      NS      ns2.isc.ultradns.net.
dlv.isc.org.            300     IN      NS      dlv.ams.sns-pb.isc.org.
dlv.isc.org.            300     IN      RRSIG   NS 5 3 300 20200325160456 
20200224153150 64263 dlv.isc.org. 
H1H0F1xGgvH/nqFu3pI66eTn7PkAInRKb8CgKn0fEHzHJYecRqqQ9G2s 
v0gC6nYjPq+SP8LEzCQdZTelt2unG7xnVIQJBuCwpu2tV0OJdko2/Eqq 
dwi+Wn/kWNIZa48Scr5rHLYJ16ABrqLTMxeXBwVs7U3k/0T0auzQm71C h7k=
;; Received 1124 bytes from 199.254.63.254#53(ns.isc.afilias-nst.info) in 144 ms
-=-


Note the signature expiration of '20200325160456'.

Is this related to the shutdown of sns-pb?

Graham
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to