[Dnssec-deployment] dnsviz.net reporting (benign) US signing error

Chris Thompson cet1 at cam.ac.uk
Wed Dec 1 14:06:12 EST 2010

On Dec 1 2010, I wrote [something mangled, so I'll try again - apologies.
Oh, and by the way, e-mail to hostamster at neustar.biz bounces].

It has been pointed out on the bind-users mailing list - see


- that http://dnsviz.net/d/us/dnssec/ is reporting that the signature on the 
DNSKEY RRset for "us" by one of the keys is bad:

| Errors (1)
|    * RRSIG us/DNSKEY by alg 5, key 27377: 
|      The signature in the RRSIG is bogus.

That key is a ZSK, so this doesn't actually affect validation (the
signature with the KSK is fine).

Anyone know any more about this? Is dnsviz.net even correct?

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the Dnssec-deployment mailing list