[dns-operations] Signing of the ARPA zone

Michael Graff mgraff at isc.org
Fri Mar 26 18:01:37 UTC 2010

On 3/26/10 10:55 AM, Simon Leinen wrote:
> And then almost immediately, inverse lookups started to fail on one of
> our recursive nameservers, running BIND 9.7.0 (just like the others).
> This is an extract from the log (timestamps in UTC) of that nameserver:

Just to be specific, you are NOT using DLV?

> So does anybody have an explanation on how old information in the cache
> (or another inconsistency) can have caused this?

I think the right answer for you will be to flush your cache when you
update trust anchors.  If you're clever, you can do it only for added or
removed anchors.  Hopefully this will help until...

> And if so, could this have been prevented by the phase-in procedure of
> DNSSEC for .ARPA? (And if so, how?)

I don't believe ARPA did anything wrong.  I think it is a bug in BIND 9,
and we are investigating.


More information about the dns-operations mailing list