dnssec lookaside to dlv.isc.org broke recursion

[D. Stussy]

"Florian Weimer" <fw at deneb.enyo.de> wrote in message
news:gdqfih$l14$1 at sf1.isc.org...
> * Vinny Abello:
>
> > I've got two recursive DNS servers running on FreeBSD 7.0 each with
> > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken.
>
> The annual key rollover for dlv.isc.org happened 30 days ago, and the
> transition period is now over.  You probably failed to perform that
> rollover.


I see nothing on the resource https://secure.isc.org/ops/dlv/index.php that
tells us that there is a periodic rollover of the key-signing-key for the
DLV.  I expect that the zone-signing-key ("256") and ONLY that key will be
changed every month.  The key-signing-key shouldn't be changed very often
(if at all).  Remember that this is a transitional mechanism that should
only be in place for a short number of years.

If isc.org is going to change it annually or so, fine, but then let them
publish about 4 key-signing-keys, even if only one is actively used.  That
would be 4 years worth of keys, which should be enough to cover 4+ years -
long enough for ICANN to get off their asses and sign the root zone.


Might using the wrong key-signing-key as a trusted key be the cause of the
assertion failure I reported in a separate thread?