dnssec lookaside to dlv.isc.org broke recursion
Mark Andrews
Mark_Andrews at isc.org
Sat Oct 25 00:09:02 UTC 2008
In message <gdqp0v$57o$1 at snarked.org>, "D. Stussy" writes:
> "Florian Weimer" <fw at deneb.enyo.de> wrote in message
> news:gdqfih$l14$1 at sf1.isc.org...
> > * Vinny Abello:
> >
> > > I've got two recursive DNS servers running on FreeBSD 7.0 each with
> > > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken.
> >
> > The annual key rollover for dlv.isc.org happened 30 days ago, and the
> > transition period is now over. You probably failed to perform that
> > rollover.
>
> I see nothing on the resource https://secure.isc.org/ops/dlv/index.php that
> tells us that there is a periodic rollover of the key-signing-key for the
> DLV. I expect that the zone-signing-key ("256") and ONLY that key will be
> changed every month. The key-signing-key shouldn't be changed very often
> (if at all). Remember that this is a transitional mechanism that should
> only be in place for a short number of years.
See DLV Registry Policy and Practice which is linked off of
that page.
https://secure.isc.org/ops/dlv/dlv-pol-pract-v1.0.php
The trusted keys have always been described as
"The current DLV KSK public key"
Which should also be a clear indication that they change.
Adding a "next scheduled key rollover commencement date" may
be useful. Note there can always be emergency key rollover
events so you should be subscribed to the announcement list.
Mark
> If isc.org is going to change it annually or so, fine, but then let them
> publish about 4 key-signing-keys, even if only one is actively used. That
> would be 4 years worth of keys, which should be enough to cover 4+ years -
> long enough for ICANN to get off their asses and sign the root zone.
>
> Might using the wrong key-signing-key as a trusted key be the cause of the
> assertion failure I reported in a separate thread?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list