[dns-operations] I do not understand this validation failure
Florian Weimer
fw at deneb.enyo.de
Mon Dec 26 10:48:26 UTC 2011
* Thomas Egrelius:
> The zone is nlsec.egge.se. As far as I can tell, everything is ok in the
> zone. The KSK is there, used for the DNSKEY RRSIG and all the signatures
> have valid timings. Still, all analyzers tell me the DNSKEY RRSIG do not
> validate. And it doesn't. I just don't understand why.
The signature is not cryptographically valid, that is, the
verification math fails. This could be a hardware fault (bit flips
and stuff like that), or it could be caused by publication of a
signature along with a newer or older version of the signed data.
More information about the dns-operations
mailing list