[dns-operations] Signing of the ARPA zone

Simon Leinen simon.leinen at switch.ch
Fri Mar 26 18:20:10 UTC 2010


Michael Graff writes:
> On 3/26/10 10:55 AM, Simon Leinen wrote:
>> And then almost immediately, inverse lookups started to fail on one
>> of our recursive nameservers, running BIND 9.7.0 (just like the
>> others).  This is an extract from the log (timestamps in UTC) of that
>> nameserver:

> Just to be specific, you are NOT using DLV?

No, never in production.

>> So does anybody have an explanation on how old information in the cache
>> (or another inconsistency) can have caused this?

> I think the right answer for you will be to flush your cache when you
> update trust anchors.

OK.  I don't like flushing the entire cache, it currently seems risky
not to do it.

> If you're clever, you can do it only for added or removed anchors.

Yes, maybe we could build that into our routine that updates the trusted
keys from ITAR.  Thanks for the suggestions.

> Hopefully this will help until...

>> And if so, could this have been prevented by the phase-in procedure of
>> DNSSEC for .ARPA? (And if so, how?)

> I don't believe ARPA did anything wrong.  I think it is a bug in BIND 9,
> and we are investigating.

Thanks.  And sorry for not having dumped our cache in time!
-- 
Simon.



More information about the dns-operations mailing list