[dns-operations] ISC DLV broken?

Geoffrey Sisson geoff at geoff.co.uk
Sun Apr 5 06:15:55 UTC 2009


mvn at ucla.edu (Michael Van Norman) wrote:

> Starting a bit after 18:00, my home machines starting failing DNSSEC
> validation using the ISC DLV.
...
> Are other people seeing this?

Yes, starting at around the same time (PDT).

Peter_Losher at isc.org (Peter Losher) wrote:

> ISC is aware that there is a issue with lookups against dlv.isc.org and
> are investigating the cause behind it.  You may want to disable DNSSEC
> validation against dlv.isc.org at this time.

It appears as if the RRSIG RRset returned by the DLV nameservers for
"dlv.isc.org" is missing the RRSIG for the KSK, so validation for
dlv.isc.org is failing.  It _does_ contain the RRSIG for the ZSK (key
id 64263).

As a test I tried changing the trusted key to the ZSK, and DLV validation
appeared to work correctly.  This is, of course, not a recommended
work-around.

Geoff



More information about the dns-operations mailing list