[dns-operations] Problems resolving .gov using DLV

Michael Sinatra michael at rancid.berkeley.edu
Tue Mar 17 17:45:12 UTC 2009

On 03/17/09 08:46, Edward Lewis wrote:
> At 20:58 -0400 3/16/09, Keith Mitchell wrote:
>> Since this is clearly causing operational pain for various people, we
>> (ISc as DLV provider) have temporarily rolled .gov out of DLV. We have a
> Is there any other nsec3 key in the DLV?  I'd like to confirm that there 
> is a "problem."  (That is, setting up an older name server with DLV and 
> then a newer one.)

I agree that you should try to replicate it, but I did the "experiment" 
in production yesterday.  The crash upgrade to 9.6.0-P1 fixed the .gov 
problem before the key was rolled out of the DLV.  Today, I can still 
replicate it with satellite.dnslab.jp, as mentioned in my previous message.

BIND's behavior when a trust anchor with an unsupported algorithm is 
configured is to refuse to load the trust anchor.  (It actually refuses 
to reload at all, giving a "failed" response.)  I haven't tested 
unbound, but Stephane's comments indicate that it has a similar problem.


More information about the dns-operations mailing list