Reverse lookup failing when arpa.dlv.isc.org appeared
Chris Thompson
cet1 at cam.ac.uk
Wed Mar 31 22:42:03 UTC 2010
On Mar 27 2010, Michael Sinatra wrote:
>On 03/25/10 05:21, Chris Thompson wrote:
>> I'll be reporting this to bind-bugs, but I thought I would mention it here
>> in case others can confirm the effect.
>>
>> Our two main ecursive nameservers used DNSSEC validation via dlv.isc.org.
>> In the past we have had suspicions that there are glitches when new entries
>> appear in the DLV zone. For example, we got reports that users were
>> temporarily unable to access CERN web sites on the morning that "cz"
>> went into dlv.isc.org.
>
>I saw the same effect within the GOV domain, when the GOV trust-anchor
>was re-added to the ISC DLV last May:
>
>https://lists.dns-oarc.net/pipermail/dns-operations/2009-May/003867.html
>
>This is not a DLV-only issue; my experience is that it also affects
>manually (or semi-automatically via scripts that modify
>named-trustedkeys) updated trust-anchors. 'rndc flush' is necessary to
>fix it.
If that's a requirement it ought to be documented. But of course there
is a difference: at least you know when you are changing trust anchors:
there's no way you can protect yourself against the sudden appearance of
a DLV (or DS) record in someone else's zone!
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list