Mikael Abrahamsson wrote:
All .se cctld-servers are now updated, so if you're still seeing problems, please reload your resolvers.
Even after a cache reload, the SOA record appears still bogus: | se has SOA record catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800 2419200 7200 (BOGUS (security failure)) even though other records are unaffected: | se has NS record a.ns.se. (secure) BIND logs a failure but returns an answer without AD flag: | named[2843]: validating @0xb50c0030: se SOA: no valid signature found ~$ dig +dnssec -t mx se ; <<>> DiG 9.7.0a3 <<>> +dnssec -t mx se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55359 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 [...] Unbound returns SERVFAIL instead. I don't quite understand why BIND doesn't so, too. Hauke.