[dns-operations] I do not understand this validation failure

Thomas Egrelius thomas.egrelius at se.verizonbusiness.com
Sun Dec 25 22:20:07 UTC 2011

Hi all, hope you are enjoying the holidays.

I have a question for you to think about when you get the time. One of the 
test domains used to test frequent key rollovers etc suddenly started to 
fail validation today. Without anyone doing any changes afaik - other than 
maybe an automatic ZSK rollover.

The zone is nlsec.egge.se. As far as I can tell, everything is ok in the 
zone. The KSK is there, used for the DNSKEY RRSIG and all the signatures 
have valid timings. Still, all analyzers tell me the DNSKEY RRSIG do not 
validate. And it doesn't. I just don't understand why.

It might me that just resigning may fix the issue, but before I do that 
I'd like a second oppinion and see if I can get an explanation of what's 
going on.

So, whenever you feel for it and have the time, feel free to have a look.


/Thomas Egrelius

Verizon Sweden AB - registrerat i Sverige med organisationsnummer 556489-1009 - huvudkontorets adress: Armégatan 38, Box 4127, 171 04 Solna, Sverige

More information about the dns-operations mailing list