DLV validation fails after ksk rollover
R Dicaire
kritek at gmail.com
Tue Jun 23 15:11:24 UTC 2009
Hi folks...Yesterday I performed a DNSSEC KSK rollover, updated DLV
with the new keys, and confirmed successful updates to DLV via their
script. According to DLV all zones are good. Upon completing this, I
then removed the old keys from the DLV db for each zone I have
registered.
Now when I attempt to validate lookups against DLV, the lookups fail.
To test lookup I was using:
dig +dnssec www.kritek.net aaaa
Here's the logging output using debug 3 for dnssec:
http://www.ardynet.com/kritek-dlv-fail.txt
I don't know the frequency that DLV updates its records, so I don't
know if this is simply a matter of waiting for them to update (its
been ~24 hours since I completed the ksk rollover, and updated DLV
with the new keys), or if there's a configuration issue at my end, or
if I deleted my old keys from DLV too soon.
Which begs another question: I recall reading in an RFC that there
were a couple or three different "policies" regarding the manner of
ksk rollovers, one being pre-publish, is this the method best suited
for DLV use?
The last time I performed a ksk rollover, I didn't immediately remove
the old keys fom DLV, and I suspect this might be the cause for my
current lookup issues.
Everything used locally is bind 9.6.1 on slackware linux 12.0/12.1 and
freebsd 7.2
I'm not sure how to further troubleshoot DLV lookup problems. Any
help/pointers/etc would be greatly appreciated.
Thanks
--
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
More information about the bind-users
mailing list