[dns-operations] DNSSEC issue - why?

Gilles Massen gilles.massen at restena.lu
Tue Jun 9 06:47:31 UTC 2015


Hello,

I stumbled in my resolver logs over validation failures with
hollington.ca (I'm not related to them, it is just a weird case).

In short: bind and unbound fail to validate, Google, dnsviz (
http://dnsviz.net/d/hollington.ca/dnssec/ ) or dnssec-debugger (
http://dnssec-analyzer.verisignlabs.com/hollington.ca ) are fine.

More detailed: delv complains with
;; validating hollington.ca/DNSKEY: no DNSKEY matching DS
;; validating hollington.ca/DNSKEY: no valid signature found (DS)

which looks quite simple, however the KSK DNSKEY from hollington.ca is
part of the DS set. The only notable part of the DS set is that it
contains 4 keys, among which is an older (?) with a longer hash.

Any idea why / where this fails?


Gilles

-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473



More information about the dns-operations mailing list