Somebody made a small mistake when signing the .KG (Kyrgyzstan) zone, rendering it useless for validating servers:

22-Feb-2011 14:34:42.644 validating @0x1011c5600: kg DNSKEY: no valid signature found (DS)
    22-Feb-2011 14:34:42.644 error (no valid RRSIG) resolving 'kg/DNSKEY/IN': 193.0.12.119#53
    22-Feb-2011 14:34:42.809 validating @0x1011c5600: kg DNSKEY: no valid signature found (DS)
    22-Feb-2011 14:34:42.810 error (no valid RRSIG) resolving 'kg/DNSKEY/IN': 195.38.160.36#53
    22-Feb-2011 14:34:42.877 validating @0x1011c5600: kg DNSKEY: no valid signature found (DS)
    22-Feb-2011 14:34:42.877 error (no valid RRSIG) resolving 'kg/DNSKEY/IN': 2001:610:240::53:cc:12:119#53
    22-Feb-2011 14:34:42.877 error (broken trust chain) resolving 'kg/NS/IN': 195.38.160.36#53

The RRSIG inception times are in the future: They are UTC+6 so it'll be a bit until their zone validates again. DNSSEC really is difficult. (Sigh.) [via]

Flattr this
DNS, dnssec, and RRSIG :: 22 Feb 2011 :: e-mail

Comments

blog comments powered by Disqus