[dns-operations] .BE signatures expired

[Stephane Bortzmeyer]

[Forwarded from a Casey Deccio's message on dnssec-deployment.]

DNSSEC is hard, we know it. Another TLD went SERVFAIL because of a
DNSSEC issue. .BE has two keys on the root, only one, 25282, being in
the zone.

But the signature of the DNSKEY RRset by 25282 expired a few hours ago
(the admins are warned but the authoritative name servers continue to
serve the old sigs.)

% dig +dnssec +multi DNSKEY be.

; <<>> DiG 9.6-ESV-R1 <<>> +dnssec +multi DNSKEY be.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15909
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;be.			IN DNSKEY

;; ANSWER SECTION:
be.			85710 IN DNSKEY	256 3 8 (
				AwEAAaUrk5yzJRzuPrXBTvzj4oDt9g04ftP84Vcmzz9s
				joY9eMCGTlvM8S/+7MBrUXp7ySo3re9gzTxg6k5KP4eG
				B0QgGcHWD2ghYW8f6Ow9FLPvH5OS0QtO5s0Vg81HM6Gn
				q475Qa0ArnYuTNzCOKo+CojM9SaREt/QWBdXW9bIdIOr
				) ; key id = 61575
be.			85710 IN DNSKEY	256 3 8 (
				AwEAAbFr10l0aj4qbeaaRH2LG8MXBv0a+NCfLdI0JEHw
				Gaqk1IG2r4lSwxOEZT0KjWY5HqlODqmCNhDAEeWO7N59
				hRegCZSlWzcOmawuFAdAYRqsUo9mzVRVouVD3PHCP4/Q
				m99rWjjOsgAnF6FW149F6jJlWf5IUicz0iYqaf2QKWkB
				) ; key id = 58245
be.			85710 IN DNSKEY	256 3 8 (
				AwEAAbxSLvwv/XaCHXQytDLXWuqeZRcOX94KIEyxJ/sW
				cdmoAArkjvWoDoFG3iyRbmbCuDa7KwpxtQfATGxJuJT7
				F9NMpOpjBg/2YhvvP6C1slniUcJqwwMJVLs5d2+eUbYU
				+kw2pYjQF1P//qt+T8jsXUN1h0GIQFwzoN9nc55iGBDr
				) ; key id = 4929
be.			85710 IN DNSKEY	257 3 8 (
				AwEAAbd8NzEIexVg4BXeSSMLZuMP3J4hB/igiRVhk4YK
				aMvS31wxGo+F9UjDDwRrIxlWBnJttE2ht5fP1bVHaqKx
				xObgCsn3sdHEDEvd45MRu54kkrfbIxXq+k7K+9qsLfWV
				1C24LQDvYlXXoZ1MrAe8mgHxGkYeY6o4wUbEdkk9m3Wf
				Ut9PZd4g+X2rzV3ugsihXhtSQslm9luCwz/h9vR11uDx
				AScNbBsFmR9YPE0lhiyehJ0BClDYfLCQsLblp9gnEk82
				7a6Ld+/NT/pIl97gElqQDJdblsTPpm2aD5kXYPDOry20
				yaz6AV9YKZ88Da/GXh6P1zi+JSjEkBCANJi5iPk=
				) ; key id = 25282
be.			85710 IN RRSIG DNSKEY 8 1 86400 20101007125403 (
				20100930115403 25282 be.
				Ze2wUEsJNTxVwKMZW6lVlHa8wi8JPTCJ559yRywZfmzM
				RnCFP4cFqzKFJKXNobVnIhBu18hSiQYg+AqUmTn46SGY
				oNgC+Y/d94ssjtB67JpcbVc/7PmCHJq/rOzv/Of5cGc6
				Agr4wBbnHVAEwiH+vyfY1EyWuCdVLskJQlIhStz9pIxz
				eNdmJFxRK7bZDhu8M0vWHINvLszMCAjHkA3DCLgHT3QA
				bNBo/H777BmeGcnn67Wijn95d9WA8ggGiU1nFjXNX7/T
				0BHpPf10Q1gUx7Q58LX32zBNdpfeJAKh3e4lGget2NB9
				tTPJWtXs/ncIE2NUhxgW8Z6NpHmfPEQKOA== )
be.			85710 IN RRSIG DNSKEY 8 1 86400 20101014124736 (
				20101007115403 4929 be.
				FqHEWLxGi7b346TC2eRgfGK3PoBJ+9fD3cYuNqAvYfhV
				0UujQC9NDZ1MN9DAOpmFngFiH/JtwfQaplDdxp/mOySY
				CMSqHCuxZL7wQ+fA+bs5WAh3mfUiyvdI1q5X8OOtvgYn
				dxxjzoL8XNbFaKsySnGvnoo0587T2F8pvj+a6/A= )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct  7 22:52:35 2010
;; MSG SIZE  rcvd: 1203