It appears that the bluewin DNS caches are using an old key for verifying DNSSEC for the zone switch.ch, as can be seen by using the "cd" option of dig
; <<>> DiG 9.6.1-P1 <<>> @dns1.bluewin.ch. switch.ch. soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 605 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;switch.ch. IN SOA
;; Query time: 40 msec ;; SERVER: 195.186.1.110#53(195.186.1.110) ;; WHEN: Mon Aug 3 14:17:55 2009 ;; MSG SIZE rcvd: 27
; <<>> DiG 9.6.1-P1 <<>> @dns1.bluewin.ch. switch.ch. soa +cd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 865 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;switch.ch. IN SOA
;; ANSWER SECTION: switch.ch. 86400 IN SOA scsnms.switch.ch. hostmaster.switch.ch. 2009080301 28800 7200 604800 180
;; Query time: 4 msec ;; SERVER: 195.186.1.110#53(195.186.1.110) ;; WHEN: Mon Aug 3 14:17:56 2009 ;; MSG SIZE rcvd: 81
I sent mail to hostmaster@bluewin.ch but I'm not sure whether that gets the proper attention. This is a serious issue for us.
To everybody: PLEASE don't configure DNSSEC trust anchors from untrusted sources (heck, that's why they are called trust anchors). That defeats the purpose of it and chances are that you will miss key-rollovers.
BTW, is the #swinog IRC channel still alive somewhere after irc.swinog.ch went away?