[Dnssec-deployment] Intermittent issues with verisign.net domains
Roland van Rijswijk
roland.vanrijswijk at surfnet.nl
Wed Jul 13 04:36:03 EDT 2011
Hi all,
I have a question for other people operating validating resolvers. I've been seeing intermittent issues with verisign.net domains on some of my resolvers that pop up every couple of weeks (there does not seem to be any pattern which could relate to things like sig-expiry or key rollover). It happened again this morning, here is an excerpt from our (Unbound) resolver log:
Jul 13 09:53:53 ns0 unbound: [15493:1] info: validation failure <crl.verisign.net. A IN>: SERVFAIL no DS for DS crl.verisign.net. while building chain of trust
Jul 13 09:53:55 ns0 unbound: [15493:1] info: validation failure <ocsp.verisign.net. A IN>: SERVFAIL no DS for DS ocsp.verisign.net. while building chain of trust
Jul 13 09:53:58 ns0 unbound: [15493:1] info: validation failure <crl.verisign.net. A IN>: key for validation crl.verisign.net. is marked as invalid because of a previous validation failure <crl.verisign.net. A IN>: SERVFAIL no DS for DS crl.verisign.net. while building chain of trust
Jul 13 09:53:59 ns0 unbound: [15493:1] info: validation failure <ocsp.verisign.net. A IN>: key for validation ocsp.verisign.net. is marked as invalid because of a previous validation failure <ocsp.verisign.net. A IN>: SERVFAIL no DS for DS ocsp.verisign.net. while building chain of trust
Is anybody else seeing this? I'm wondering what might be the cause. I've only seen this particular issue (where a SERVFAIL - presumably from the authoritative server - precedes validation failures) with this domain. And it seems to resolve itself after some time (it disappeared around 10:08 CEST).
Cheers,
Roland
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Dnssec-deployment
mailing list