[dns-operations] Signing of the ARPA zone
Joe Abley
jabley at hopcount.ca
Fri Mar 26 18:59:41 UTC 2010
On 2010-03-26, at 11:55, Simon Leinen wrote:
> Yes. Apparently if you use BIND (latest & greatest 9.7.0), and
> install new trusted keys, you are expected to flush some entries from
> the cache; in particular, you should flush the entries for the names
> for which trust anchors were added, e.g. "ARPA" for the trusted keys
> in the March 25 version of the ITAR.
So in your case you added the trust anchor to your BIND9 config and did an "rndc reconfig" to make it live?
> [...]
>
> This might make sense even if the issue is in fact due to a bug in
> BIND which will be fixed tomorrow, because some operators of
> validating nameservers would still be running buggy versions when the
> root is signed.
>
> But then for the case of the root, it might be sufficient to remind
> people to flush cached entries for "." when they install the trust
> anchor for the root. I honestly believe that the vast majority of
> operators of validating nameservers would notice such a
> recommendation if it were included in official announcements from IANA.
This is a great suggestion, thanks. We would be very happy to pass on any practical advice of that kind as part of our more general communications work.
Joe
More information about the dns-operations
mailing list