We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g. mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and 9.8.0-P1 configured with the root and dlv.isc.org trust anchors.
However, I can't see what is actually wrong with it, using dig +cd as necessary. All the signatures appear to have valid start/stop times, and http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There are a lot of false trails (e.g. the DS records for it in "de") but that shouldn't stop BIND finding the one that works (DLV in dlv.isc.org -> KSK with tag 10923 -> ZSK with tag 4814), should it? It may be significant that this problem was reported to us on the same day that obscured DNSKEY records were introduced into the "de" zone... -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
