Why DNSSEC errors for bund.de?

Chris Thompson cet1 at cam.ac.uk
Tue May 24 14:01:22 UTC 2011

We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g.
mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and
9.8.0-P1 configured with the root and dlv.isc.org trust anchors.

However, I can't see what is actually wrong with it, using dig +cd as
necessary. All the signatures appear to have valid start/stop times, and
http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There
are a lot of false trails (e.g. the DS records for it in "de") but that
shouldn't stop BIND finding the one that works (DLV in dlv.isc.org ->
KSK with tag 10923 -> ZSK with tag 4814), should it?

It may be significant that this problem was reported to us on the same
day that obscured DNSKEY records were introduced into the "de" zone...

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list