[dns-operations] I do not understand this validation failure

Florian Weimer fw at deneb.enyo.de
Mon Dec 26 10:48:26 UTC 2011


* Thomas Egrelius:

> The zone is nlsec.egge.se. As far as I can tell, everything is ok in the 
> zone. The KSK is there, used for the DNSKEY RRSIG and all the signatures 
> have valid timings. Still, all analyzers tell me the DNSKEY RRSIG do not 
> validate. And it doesn't. I just don't understand why.

The signature is not cryptographically valid, that is, the
verification math fails.  This could be a hardware fault (bit flips
and stuff like that), or it could be caused by publication of a
signature along with a newer or older version of the signed data.



More information about the dns-operations mailing list