dnssec lookaside to dlv.isc.org broke recursion
D. Stussy
spam at bde-arc.ampr.org
Thu Oct 23 21:06:20 UTC 2008
"Florian Weimer" <fw at deneb.enyo.de> wrote in message
news:gdqfih$l14$1 at sf1.isc.org...
> * Vinny Abello:
>
> > I've got two recursive DNS servers running on FreeBSD 7.0 each with
> > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken.
>
> The annual key rollover for dlv.isc.org happened 30 days ago, and the
> transition period is now over. You probably failed to perform that
> rollover.
I see nothing on the resource https://secure.isc.org/ops/dlv/index.php that
tells us that there is a periodic rollover of the key-signing-key for the
DLV. I expect that the zone-signing-key ("256") and ONLY that key will be
changed every month. The key-signing-key shouldn't be changed very often
(if at all). Remember that this is a transitional mechanism that should
only be in place for a short number of years.
If isc.org is going to change it annually or so, fine, but then let them
publish about 4 key-signing-keys, even if only one is actively used. That
would be 4 years worth of keys, which should be enough to cover 4+ years -
long enough for ICANN to get off their asses and sign the root zone.
Might using the wrong key-signing-key as a trusted key be the cause of the
assertion failure I reported in a separate thread?
More information about the bind-users
mailing list