[ben@cuckoo.org: .se disappeared?]

Unbound
1

Indeed, it fails for me through Unbound.

% dig SOA se.

; <<>> DiG 9.5.1-P3 <<>> SOA se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51031
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;se. IN SOA

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 22:43:04 2009
;; MSG SIZE rcvd: 31

% dig +cd SOA se.

; <<>> DiG 9.5.1-P3 <<>> +cd SOA se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47877
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 10, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;se. IN SOA

;; ANSWER SECTION:
se. 7032 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101210 1800 1800 2419200 7200

;; AUTHORITY SECTION:
se. 172632 IN NS a.ns.se.se.
se. 172632 IN NS b.ns.se.se.
se. 172632 IN NS c.ns.se.se.
se. 172632 IN NS d.ns.se.se.
se. 172632 IN NS e.ns.se.se.
se. 172632 IN NS f.ns.se.se.
se. 172632 IN NS g.ns.se.se.
se. 172632 IN NS h.ns.se.se.
se. 172632 IN NS i.ns.se.se.
se. 172632 IN NS j.ns.se.se.

;; ADDITIONAL SECTION:
a.ns.se. 172644 IN A 192.36.144.107
a.ns.se. 172644 IN AAAA 2a01:3f0:0:301::53
b.ns.se. 172644 IN A 192.36.133.107
c.ns.se. 172644 IN A 192.36.135.107
d.ns.se. 172644 IN A 81.228.8.16
e.ns.se. 172644 IN A 81.228.10.57
f.ns.se. 172644 IN A 192.71.53.53
g.ns.se. 172644 IN A 130.239.5.114
g.ns.se. 172644 IN AAAA 2001:6b0:e:3::1
h.ns.se. 172644 IN A 199.7.49.30
i.ns.se. 172644 IN A 194.146.106.22
j.ns.se. 172644 IN A 199.254.63.1
j.ns.se. 145584 IN AAAA 2001:500:2c::1

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 22:43:15 2009
;; MSG SIZE rcvd: 540

% dig +dnssec +cd SOA se.

; <<>> DiG 9.5.1-P3 <<>> +dnssec +cd SOA se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65186
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 11, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se. IN SOA

;; ANSWER SECTION:
se. 7011 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101210 1800 1800 2419200 7200
se. 7011 IN RRSIG SOA 5 1 172800 20091019180557 20091012182816 12075 se. ngngXNhJDJjmnMmSMf5DBlUPIVpmZgn9ERtfXE0OzVFb0hJcJHtsQVVY EsmB6etVJOMa0L2fKLHikU4+gNQkAD8773xWw95apzyg8S+Z0nEOarHT jOm+mnsG1hA3sueQML+K/VfBmVxGwOsLACydn62xzIqtQAFrOCcphtND DS0=

;; AUTHORITY SECTION:
se. 172611 IN NS a.ns.se.se.
se. 172611 IN NS b.ns.se.se.
se. 172611 IN NS c.ns.se.se.
se. 172611 IN NS d.ns.se.se.
se. 172611 IN NS e.ns.se.se.
se. 172611 IN NS f.ns.se.se.
se. 172611 IN NS g.ns.se.se.
se. 172611 IN NS h.ns.se.se.
se. 172611 IN NS i.ns.se.se.
se. 172611 IN NS j.ns.se.se.
se. 172611 IN RRSIG NS 5 1 172800 20091019172718 20091012182816 12075 se. KcuxKPaC9fnNBRR8GfOmCjH54QRDKGtRJxhumbjVt6cAoHRVAODi6CBv W9W3FzwqhNpXOlRZS49dX/4jtD7zyKaI+GudaU/vllc21o3DnxAvJ3lP 7sDXsN6M+qS1H2YZsuX5zPM4UnAdbncvKo/yiqcuqoejhYxWLki6pOp6 dQY=

;; ADDITIONAL SECTION:
a.ns.se. 172623 IN A 192.36.144.107
a.ns.se. 172623 IN AAAA 2a01:3f0:0:301::53
b.ns.se. 172623 IN A 192.36.133.107
c.ns.se. 172623 IN A 192.36.135.107
d.ns.se. 172623 IN A 81.228.8.16
e.ns.se. 172623 IN A 81.228.10.57
f.ns.se. 172623 IN A 192.71.53.53
g.ns.se. 172623 IN A 130.239.5.114
g.ns.se. 172623 IN AAAA 2001:6b0:e:3::1
h.ns.se. 172623 IN A 199.7.49.30
i.ns.se. 172623 IN A 194.146.106.22
j.ns.se. 172623 IN A 199.254.63.1
j.ns.se. 145563 IN AAAA 2001:500:2c::1
a.ns.se. 172623 IN RRSIG A 5 3 172800 20091017170853 20091012162314 12075 se. LMJIZXZxWy8vkDCGyiaNBWEdNjP1eummEEA4qFOs0+Yc+tmQUYVKVJ9R Y5F8OqsleFBWvev4lvMQeJipxfkHREqBAmjxPP9ZBg1atZxoHtzBbWxE cJJBOC6Ho6HV/ZfW7BpVO9kv+P33in4QLrCvc1rRl7inonOUc4l+HpyB Kug=
a.ns.se. 172623 IN RRSIG AAAA 5 3 172800 20091019140056 20091012162314 12075 se. bl+vbQx39C4ULGWvZsh0FT76FRa74tJ+Wt1d2Ph8Ukw8cxvlYjPaGrJL LfkJ2pAdHtFEIWteLg47dmy0TK0BkBOpfjj6ZfyVyoHfbs5wtA+7QtYU ZwHDvoBaaEGnCnT4tMF0JKwDVU+B9KxLO7O/RYwlnjPj7lNN5CgTzkym 3CI=
b.ns.se. 172623 IN RRSIG A 5 3 172800 20091018094111 20091012162314 12075 se. fSdvb3mb8QI8zYU/66Rqq58FtxxJDC+Mrpn9WR7fH0e4KuZL0U4ilyBz OPudlvt6t4t2ELBDFfHbm4xtWlg9mfINdhpbYTEwe4PG0rdj3OZ7WhFD TA8J6fgRFZyVX6LjQWfLj2xH4/qedkpEJXIG9Q+7ULJzKF5GwwzsYgXp dSQ=
c.ns.se. 172623 IN RRSIG A 5 3 172800 20091018162409 20091012162314 12075 se. p8kK9eZYQ/VkOGZETwin2tA2+UY0gbuX/Kyw0Y1j50zc2hoQ2pfamIBA EVKrTNO1/Ll4jUejBY3BlR1BUXx/6bjKBpDV+rFC+zEh+kiFomaB9CLf z4eElYc4V61U6j2RwW4q2UtWtgK5AWCozgnmO3IFHkqwXzRbfCqfsU/h 4EA=
d.ns.se. 172623 IN RRSIG A 5 3 172800 20091017213756 20091012162314 12075 se. fFS8wzeDMm7EVW9FmXYRMV8B22sdgn+DXqW1a5UwApJbzvzmDFd2OcsD 23h2ZPeihq8K1SP72uXtTwcnr1a3ZfHT33/D0PNYezPTEa4mtWO6BNLW Iwzs92oUJAeJ0FMTXpTuJSMivvUeccFIDZyZJVH/qUK5auOgc8JfPmiA JCI=
e.ns.se. 172623 IN RRSIG A 5 3 172800 20091019092758 20091012162314 12075 se. Xx8WEerM+tJTtWghOhWudTXEmwzeQuEQxTfhY7ReNu5aTDolYRe5EF3N ZICLIwXFrega49oG99/KQSOZnd/2Gn0ysTztF5WvAzy6Z2WLDHZsdWQ2 mEP0eZ27KOOWno4zBTZjCbpTbqYzgxbUH3h754NoxW9kXlVR+lrZqgiN jDI=
f.ns.se. 172623 IN RRSIG A 5 3 172800 20091019074039 20091012162314 12075 se. BeG9xSNoCHHriSnQfTKvN0Bj/et745K5Um1WP6SIuy1X5xrfKhepZ1+I fwcCkaOd3Amfqtmil2cO8lKKdOw+GemsYm3tDU0nPNq9CJQFOgjZKDt0 Oy0C6ktHRJu9oy/08470FGHM1PR9pTbywN/TNg+R4x/OkGmMdY1BX6wq DWI=
g.ns.se. 172623 IN RRSIG A 5 3 172800 20091018014151 20091012162314 12075 se. Bt03od6ljWiOK2ClpwsjFjdMYDzkE5DedRbiHyACUYnFw4WFlZqycHqX D30bVgfaDxvY6M17chxWXVyjwBuNbteEjHYhDg6WhU1cFQVOniZnjPb9 cvx+T5LP4t9c7zjtQG5bSqwKEV7tV+ga39vhJcyCW0GzvvQWhAxTqZwY /dU=
g.ns.se. 172623 IN RRSIG AAAA 5 3 172800 20091018053857 20091012162314 12075 se. XASkw1tSToov2+nWbiJZrjBZZsHXXdnQl+Qix0DkNedjAGcgwPccD0hn nvvW8ybotIxdJo5DIt5FyI3mXwhU4i+23ugtlUG4EN7aecvXGUCREnUb FEW75Ry5OHC4rTlUYqgHcJwACyptQq9oDeul5tCm6iG/FHi0epCdMAjv Nw0=
h.ns.se. 172623 IN RRSIG A 5 3 172800 20091018025720 20091012162314 12075 se. wBzN2lFK5tz7y9T7upkPnfCV2weOYObh+CaffK1MNwCIxNJOWLo6brqh YZYuSQiplV3LPE4GkQJnfe1qJR46iuef67arRt81VaBdYdsM3imenN7g PVGoVSwSzRScvZ/2oYdQKYftiblkgBhepCvBo+qsfVkZUCOXZaHu0DJi N5I=
i.ns.se. 172623 IN RRSIG A 5 3 172800 20091017175927 20091012162314 12075 se. moFz1ISKQoiC5nvux5isekosNoBsZ2/ny37gZs1HZofhXFTFnRhXgz9g kK3rAEXQqgedorWqsK74IH7bgrv9TJe2FekzEW1/8GtY9Ral1p3yXuFq 9jOg+9MnVJ2SC6sHgkVHPv519FC8MBmc4hEilSdx0ONmF1T3jT2YOcQ/ NQM=
j.ns.se. 172623 IN RRSIG A 5 3 172800 20091018170546 20091012162314 12075 se. paqzL0imJ12R4R6m/61YQ4mkYnZl6hgBgWzCG+wXQ1HqpcSBdFXrGHP/ 2penRzUTBZkb4LMddlaE11mN27/8RhHI3dz0cfzNtCJAJf3pAeHomObF VBwXPeK+rin0T7EFWsKN0TK8tGZkoq6rGm0v+Jt2xHPlhnv3SxfQQ3UZ V8k=
j.ns.se. 145563 IN RRSIG AAAA 5 3 172800 20091018091717 20091012102315 12075 se. A11MNqyuF8dCQApswVd9Ib8M8fORxmYLxDp86nDoMW7NIGsidfB7y5S+ 2QNE8X9r+h44ckS6dCfhf9hx3AuGFqgfFWKPLkdBxsgdzaVBfBxJpgHZ sLoQ/0ffOhedJ/tqf7wQXsljX2X0jQoDNpVE48Be/jTuzghdkEKjXYh0 /R8=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 22:43:36 2009
;; MSG SIZE rcvd: 2970

Unbound 1.3.2. It works through a BIND resolver but it may be simply a
matter of luck (caching, etc).

2

This seems odd. Shouldn't it be "se NS a.ns.se" not a.ns.se.se?

Also strange that the a.ns.se A record was included anyway.

3

Indeed, it fails for me through Unbound.

Me too. unbound-host reports the following:

% unbound-host -f /usr/local/etc/unbound/anchors.mf -vd -t soa se
...
[1255381375] libunbound[24020:0] info: Successfully primed trust anchor <SE. DNSKEY IN>
[1255381375] libunbound[24020:0] info: Validate: message contains bad rrsets
se has SOA record catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800 2419200 7200 (BOGUS (security failure))

oops.

However:

% unbound-host -f /usr/local/etc/unbound/anchors.mf -v -t ns se
se has NS record b.ns.se. (secure)
se has NS record f.ns.se. (secure)
se has NS record g.ns.se. (secure)
se has NS record d.ns.se. (secure)
se has NS record c.ns.se. (secure)
se has NS record e.ns.se. (secure)
se has NS record i.ns.se. (secure)
se has NS record j.ns.se. (secure)
se has NS record h.ns.se. (secure)
se has NS record a.ns.se. (secure)

4

a message of 241 lines which said:

se. 172632 IN NS a.ns.se.se.

Even after that problem was repaired (no dot at the end...), my
Unbound (which has been restarted cold) still has problems:

% dig MX se.

; <<>> DiG 9.5.1-P3 <<>> MX se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;se. IN MX

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 23:11:46 2009
;; MSG SIZE rcvd: 31

% dig +dnssec +cd MX se.

; <<>> DiG 9.5.1-P3 <<>> +dnssec +cd MX se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57216
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se. IN MX

;; AUTHORITY SECTION:
se. 172280 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800 2419200 7200
se. 172280 IN RRSIG SOA 5 1 172800 20091019014636 20091012162314 12075 se. nZovZAGx5M4r1o7RXrzJJ+IEfax27GlPnaza0psSvJAY4q5xbF9SrfaB PplG+t2FjjQv3IXT5+C6I7RmQ1R2wrApWGcj/CmQyTig/+sqlC4sBzTl os73ZbLWWcXWctk5lB9Yg/+qaK/BYYPYrHkH/kDu5g20REcA9QUUexwx 3aE=
se. 6680 IN NSEC 0-0.se. NS SOA TXT RRSIG NSEC DNSKEY
se. 6680 IN RRSIG NSEC 5 1 7200 20091018140308 20091011222313 12075 se. mCwEohiAsgyvQJSt3UeCJRdzUgvZ39uXspmE8PByFVFmR6LbFPdGWuml lf4uzdXUghRuJURBGunc1iu3pbQAjFIU3k6UIOVIalT/DmuOh3PUWs9T /jaruvq1vQNgyzECFqO5Fj2yAUEr6/qGl8ybyD+hUvpJHFjNmxOGdEbG lCE=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 23:11:58 2009
;; MSG SIZE rcvd: 460

And:

% dig NS se.

; <<>> DiG 9.5.1-P3 <<>> NS se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34705
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;se. IN NS

;; ANSWER SECTION:
se. 172272 IN NS g.ns.se.
se. 172272 IN NS e.ns.se.
se. 172272 IN NS j.ns.se.
se. 172272 IN NS h.ns.se.
se. 172272 IN NS c.ns.se.
se. 172272 IN NS b.ns.se.
se. 172272 IN NS i.ns.se.
se. 172272 IN NS f.ns.se.
se. 172272 IN NS a.ns.se.
se. 172272 IN NS d.ns.se.

;; ADDITIONAL SECTION:
a.ns.se. 172272 IN A 192.36.144.107
a.ns.se. 172272 IN AAAA 2a01:3f0:0:301::53
b.ns.se. 172272 IN A 192.36.133.107
c.ns.se. 172272 IN A 192.36.135.107
d.ns.se. 172272 IN A 81.228.8.16
e.ns.se. 172272 IN A 81.228.10.57
f.ns.se. 172272 IN A 192.71.53.53
g.ns.se. 172272 IN A 130.239.5.114
g.ns.se. 172272 IN AAAA 2001:6b0:e:3::1
h.ns.se. 172272 IN A 199.7.49.30
i.ns.se. 172272 IN A 194.146.106.22
j.ns.se. 172272 IN A 199.254.63.1
j.ns.se. 172272 IN AAAA 2001:500:2c::1

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 23:12:09 2009
;; MSG SIZE rcvd: 438

5

a message of 109 lines which said:

% dig MX se.

; <<>> DiG 9.5.1-P3 <<>> MX se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28196

The log says:

Oct 12 23:22:56 batilda unbound: [16214:0] info: query response was
ANSWER
Oct 12 23:22:56 batilda unbound: [16214:0] info: finishing processing
for <se. AAAA IN>
Oct 12 23:22:56 batilda unbound: [16214:0] debug: validator[module 0]
operate: extstate:module_wait_module event:module_event_moddone
Oct 12 23:22:56 batilda unbound: [16214:0] info: validator operate:
query <se. AAAA IN>
Oct 12 23:22:56 batilda unbound: [16214:0] debug: verify: signature
mismatch
Oct 12 23:22:56 batilda unbound: [16214:0] info: validator: response
has failed AUTHORITY rrset: <se. SOA IN>
Oct 12 23:22:56 batilda unbound: [16214:0] info: Validate: message
contains bad rrsets

Here are the data:

% dig +dnssec +cd AAAA se.

; <<>> DiG 9.5.1-P3 <<>> +dnssec +cd AAAA se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6113
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se. IN AAAA

;; AUTHORITY SECTION:
se. 6969 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800 2419200 7200
se. 6969 IN RRSIG SOA 5 1 172800 20091019014636 20091012162314 12075 se. nZovZAGx5M4r1o7RXrzJJ+IEfax27GlPnaza0psSvJAY4q5xbF9SrfaB PplG+t2FjjQv3IXT5+C6I7RmQ1R2wrApWGcj/CmQyTig/+sqlC4sBzTl os73ZbLWWcXWctk5lB9Yg/+qaK/BYYPYrHkH/kDu5g20REcA9QUUexwx 3aE=
se. 6969 IN NSEC 0-0.se. NS SOA TXT RRSIG NSEC DNSKEY
se. 6969 IN RRSIG NSEC 5 1 7200 20091018140308 20091011222313 12075 se. mCwEohiAsgyvQJSt3UeCJRdzUgvZ39uXspmE8PByFVFmR6LbFPdGWuml lf4uzdXUghRuJURBGunc1iu3pbQAjFIU3k6UIOVIalT/DmuOh3PUWs9T /jaruvq1vQNgyzECFqO5Fj2yAUEr6/qGl8ybyD+hUvpJHFjNmxOGdEbG lCE=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 23:23:30 2009
;; MSG SIZE rcvd: 460

6

Stephane Bortzmeyer wrote:

% dig MX se.

; <<>> DiG 9.5.1-P3 <<>> MX se.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28196

The log says:

[...]

Oct 12 23:22:56 batilda unbound: [16214:0] debug: verify: signature
mismatch
Oct 12 23:22:56 batilda unbound: [16214:0] info: validator: response
has failed AUTHORITY rrset: <se. SOA IN>
Oct 12 23:22:56 batilda unbound: [16214:0] info: Validate: message
contains bad rrsets

BIND says about the same:

Oct 13 00:04:29 pope named[2843]: validating @0xb50c0030: se SOA: no

valid signature found

Yet it still returns an answer without AD flag:

~$ dig +dnssec -t mx se

; <<>> DiG 9.7.0a3 <<>> +dnssec -t mx se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19619
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;se. IN MX

;; AUTHORITY SECTION:
se. 3600 IN SOA
catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800
2419200 7200
se. 3600 IN RRSIG SOA 5 1 172800
20091019014636 20091012162314 12075 se.
nZovZAGx5M4r1o7RXrzJJ+IEfax27GlPnaza0psSvJAY4q5xbF9SrfaB
PplG+t2FjjQv3IXT5+C6I7RmQ1R2wrApWGcj/CmQyTig/+sqlC4sBzTl
os73ZbLWWcXWctk5lB9Yg/+qaK/BYYPYrHkH/kDu5g20REcA9QUUexwx 3aE=
[...]

dnssec-validation is enabled and se.dlv.isc.org holds DLV records for
current se DNSKEYs. It should return SERVFAIL, I think.

Hauke.

7

I managed to replicate the validation failure at the apex. SE also contains a TXT record at its apex. That seems to validate correctly.

--Olaf

8

Olaf Kolkman wrote:

Indeed, it fails for me through Unbound.

Me too. unbound-host reports the following:

% unbound-host -f /usr/local/etc/unbound/anchors.mf -vd -t soa se
...
[1255381375] libunbound[24020:0] info: Successfully primed trust
anchor <SE. DNSKEY IN>
[1255381375] libunbound[24020:0] info: Validate: message contains bad
rrsets
se has SOA record catcher-in-the-rye.nic.se. registry-default.nic.se.
2009101211 1800 1800 2419200 7200 (BOGUS (security failure))

oops.

I managed to replicate the validation failure at the apex. SE also
contains a TXT record at its apex. That seems to validate correctly.

yup, it seems only the SOA is bad:

jelte@dragon:~> drill -4 -S SOA se. @i.ns.se.
;; Chasing: se. SOA
Warning: No trusted keys specified

DNSSEC Trust tree:
se. (SOA)

---Bogus DNSSEC signature:

se. 172800 IN RRSIG SOA 5 1 172800 20091019014636 20091012162314 12075 se.
nZovZAGx5M4r1o7RXrzJJ+IEfax27GlPnaza0psSvJAY4q5xbF9SrfaBPplG+t2FjjQv3IXT5+C6I7RmQ1R2wrApWGcj/CmQyTig/+sqlC4sBzTlos73ZbLWWcXWctk5lB9Yg/+qaK/BYYPYrHkH/kDu5g20REcA9QUUexwx3aE=
;{id = 12075}
For RRset:
se. 172800 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211
1800 1800 2419200 7200
With key:
se. 3600 IN DNSKEY 256 3 5
AwEAAcPBjSwyCfRL8c/o/cJAezARNJd7mwcgY2BmyWlpsfhXBPIFh36vOSyacZ1hP+Qg7ycSQhyiyXNrC4aTEaF5JYjgXgRh5rmGtPKt2sj/Me4inmQenlYT25MO63Yx0f6x5HcjBem6TFA7Eca95Jl8GalgG2LV5xO//SOxYV/V5ZSz
;{id = 12075 (zsk), size = 1024b}

---se. (DNSKEY keytag: 12075 alg: 5 flags: 256)

    >---se. (DNSKEY keytag: 8779 alg: 5 flags: 257)
    >---se. (DNSKEY keytag: 49678 alg: 5 flags: 257)

jelte@dragon:~> drill -4 -S NS se. @i.ns.se.
;; Chasing: se. NS
Warning: No trusted keys specified

DNSSEC Trust tree:
se. (NS)

---se. (DNSKEY keytag: 12075 alg: 5 flags: 256)

    >---se. (DNSKEY keytag: 8779 alg: 5 flags: 257)
    >---se. (DNSKEY keytag: 49678 alg: 5 flags: 257)

Jelte

9

a message of 79 lines which said:

yup, it seems only the SOA is bad:

No, ANSWER=0 responses (I tried with non-existing types such as AAAA
or MX) also did not validate (this morning, it works).

10

to close the loop.
An explanation on why the SOA RR failed to validate:
    http://www.iis.se/en/2009/10/13/felaktig-dns-information/

--Olaf