[dns-operations] Signing of the ARPA zone
Simon Leinen
simon.leinen at switch.ch
Fri Mar 26 18:20:10 UTC 2010
Michael Graff writes:
> On 3/26/10 10:55 AM, Simon Leinen wrote:
>> And then almost immediately, inverse lookups started to fail on one
>> of our recursive nameservers, running BIND 9.7.0 (just like the
>> others). This is an extract from the log (timestamps in UTC) of that
>> nameserver:
> Just to be specific, you are NOT using DLV?
No, never in production.
>> So does anybody have an explanation on how old information in the cache
>> (or another inconsistency) can have caused this?
> I think the right answer for you will be to flush your cache when you
> update trust anchors.
OK. I don't like flushing the entire cache, it currently seems risky
not to do it.
> If you're clever, you can do it only for added or removed anchors.
Yes, maybe we could build that into our routine that updates the trusted
keys from ITAR. Thanks for the suggestions.
> Hopefully this will help until...
>> And if so, could this have been prevented by the phase-in procedure of
>> DNSSEC for .ARPA? (And if so, how?)
> I don't believe ARPA did anything wrong. I think it is a bug in BIND 9,
> and we are investigating.
Thanks. And sorry for not having dumped our cache in time!
--
Simon.
More information about the dns-operations
mailing list