[dns-operations] Signing of the ARPA zone

Simon Leinen simon.leinen at switch.ch
Fri Mar 26 18:55:09 UTC 2010

>> And if so, could this have been prevented by the phase-in procedure
>> of DNSSEC for .ARPA? (And if so, how?)

> I heard no reports of anything breaking as a direct consequence of
> ARPA being signed.

Me neither.

> I *have* heard some reports of disruptions when people added the
> trust anchor for ARPA to their validator automatically, which were
> resolved by manual operator intervention.

Right.  Although in our case, the trust anchor wasn't installed
entirely automatically.

> I think the distinction is important, because the implications of
> the former are that we need to put the brakes on DNSSEC deployment
> in TLDs and perhaps the root, something that I don't think anybody
> wants to happen unnecessarily.


> So, to be clear: you are saying that you have identified an
> operational problem when you add a trust anchor, right?

Yes.  Apparently if you use BIND (latest & greatest 9.7.0), and
install new trusted keys, you are expected to flush some entries from
the cache; in particular, you should flush the entries for the names
for which trust anchors were added, e.g. "ARPA" for the trusted keys
in the March 25 version of the ITAR.

Maybe this is common knowledge, and everybody except us has routinely
been flushing their caches whenever they install new trust anchors.
But I doubt it.

So it might make sense to investigate whether it would have been
possible to avoid or mitigate this issue somehow - maybe by reducing
the TTL of some record(s) in preparation of publishing the keys.

This might make sense even if the issue is in fact due to a bug in
BIND which will be fixed tomorrow, because some operators of
validating nameservers would still be running buggy versions when the
root is signed.

But then for the case of the root, it might be sufficient to remind
people to flush cached entries for "." when they install the trust
anchor for the root.  I honestly believe that the vast majority of
operators of validating nameservers would notice such a
recommendation if it were included in official announcements from IANA.

More information about the dns-operations mailing list