[dns-operations] Problems resolving .gov using DLV
Michael Sinatra
michael at rancid.berkeley.edu
Tue Mar 17 17:45:12 UTC 2009
On 03/17/09 08:46, Edward Lewis wrote:
> At 20:58 -0400 3/16/09, Keith Mitchell wrote:
>
>> Since this is clearly causing operational pain for various people, we
>> (ISc as DLV provider) have temporarily rolled .gov out of DLV. We have a
>
> Is there any other nsec3 key in the DLV? I'd like to confirm that there
> is a "problem." (That is, setting up an older name server with DLV and
> then a newer one.)
I agree that you should try to replicate it, but I did the "experiment"
in production yesterday. The crash upgrade to 9.6.0-P1 fixed the .gov
problem before the key was rolled out of the DLV. Today, I can still
replicate it with satellite.dnslab.jp, as mentioned in my previous message.
BIND's behavior when a trust anchor with an unsupported algorithm is
configured is to refuse to load the trust anchor. (It actually refuses
to reload at all, giving a "failed" response.) I haven't tested
unbound, but Stephane's comments indicate that it has a similar problem.
michael
More information about the dns-operations
mailing list