[dns-operations] [DNSSEC] Bogus signature on secure.registry.be ?

Olafur Gudmundsson ogud at ogud.com
Thu Dec 22 15:16:58 UTC 2011


On 22/12/2011 09:56, Laurent Bauer wrote:
> Hello,
>
> I can no longer resolve 'secure.registry.be', my validating resolver
> (bind 9.7.3) returns SERVFAIL :
>

Signatures have expired
see this snipet:
RRSIG NSEC3 8 3 600 20120101141318 20111222135733
the last value is the expiration time in UTZ
so the signatures expired about an hour ago.

	Olafur


> ;<<>>  DiG 9.7.1-P2<<>>  secure.registry.be
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32204
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;<<>>  DiG 9.7.1-P2<<>>  secure.registry.be +cd
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24524
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 4
>
> According to dnsviz, it has a bogus signature :
>    http://dnsviz.net/d/secure.registry.be/dnssec/
>
> I am not quite familiar with DNSSEC debugging yet, but I could not find
> any problem (with dig/drill) neither in the trust chain, nor any expired
> signature.
> As far as I know, my resolver might as well have its cache poisoned,
> though I flushed it an retried before posting this.
>
> Can anyone confirm the problem ?
> If so, does anyone have a contact with a DNS administrator at DnsBe ?
>
> Thanks
>
> 	Laurent Bauer
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>




More information about the dns-operations mailing list