On 12 Oct 2009, at 21:42, Stephane Bortzmeyer wrote:

It fails for me through an Unbound resolver but works with a BIND one. Certainly a DNSSEC glitch but I did not find which one yet. Or if the fault is on my side or not.

I don't think so: ; <<>> DiG 9.4.2-P2 <<>> @192.36.133.107 se ns +norec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18046 ;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;se. IN NS ;; ANSWER SECTION: se. 172800 IN NS d.ns.se.se. se. 172800 IN NS e.ns.se.se. se. 172800 IN NS f.ns.se.se. se. 172800 IN NS g.ns.se.se. se. 172800 IN NS h.ns.se.se. se. 172800 IN NS i.ns.se.se. se. 172800 IN NS j.ns.se.se. se. 172800 IN NS a.ns.se.se. se. 172800 IN NS b.ns.se.se. se. 172800 IN NS c.ns.se.se. ;; Query time: 46 msec ;; SERVER: 192.36.133.107#53(192.36.133.107) ;; WHEN: Mon Oct 12 21:44:09 2009 ;; MSG SIZE rcvd: 186 -- Time flies like an arrow. Fruit flies like bananas.

Mikael Abrahamsson wrote:

All .se cctld-servers are now updated, so if you're still seeing problems, please reload your resolvers.

Even after a cache reload, the SOA record appears still bogus: | se has SOA record catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800 2419200 7200 (BOGUS (security failure)) even though other records are unaffected: | se has NS record a.ns.se. (secure) BIND logs a failure but returns an answer without AD flag: | named[2843]: validating @0xb50c0030: se SOA: no valid signature found ~$ dig +dnssec -t mx se ; <<>> DiG 9.7.0a3 <<>> +dnssec -t mx se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55359 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 [...] Unbound returns SERVFAIL instead. I don't quite understand why BIND doesn't so, too. Hauke.

Hi, .se statement: http://www.iis.se/en/2009/10/13/felaktig-dns-information/ Kind regards, ingo flaschberger