[dns-operations] More dnssec issues with .gov?

Anthony Iliopoulos ailiop at lsu.edu
Tue May 5 18:56:21 UTC 2009

We have been under the same kind of effects with DNSSEC validation
lately here at LSU. Yesterday ed.gov appeared to have some issue
when the validation was enabled on our resolvers. The relevant
BIND dnssec-channel logfile was showing that the validator was
eventually failing, by backing off to avoid a deadlock (perhaps
detected a cycle in the validation process, I suppose) but that's
a totally implementation-specific thing.

Flushing the caches did not appear to do any good for that case,
so I had to disable the validation on our recursive resolvers
temporarily. I have now generally integrated some related checks
on a very custom monitoring script that dynamically disables
the validation on the servers under such circumstances (via rndc),
as an extreme measure to keep name resolution going.


On Tue, 5 May 2009, Craig Leres wrote:

> nsx.lbl.gov started returning SERVFAIL for "dig +dnssec gov." a few
> minutes ago. This is the second day in a row this has happened on this
> server:
>    05-May-2009 10:22am PDT
>    04-May-2009 10:01am PDT
> As before, I did a "rndc flush" and that fixed the issue. (I dumped the
> cache before doing this in case it contains any useful info.)
> Am I the only one who is seeing this?
>                Craig
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list