[dns-operations] Signing of the ARPA zone

Joe Abley jabley at hopcount.ca
Fri Mar 26 18:59:41 UTC 2010

On 2010-03-26, at 11:55, Simon Leinen wrote:

> Yes.  Apparently if you use BIND (latest & greatest 9.7.0), and
> install new trusted keys, you are expected to flush some entries from
> the cache; in particular, you should flush the entries for the names
> for which trust anchors were added, e.g. "ARPA" for the trusted keys
> in the March 25 version of the ITAR.

So in your case you added the trust anchor to your BIND9 config and did an "rndc reconfig" to make it live?

> [...]
> This might make sense even if the issue is in fact due to a bug in
> BIND which will be fixed tomorrow, because some operators of
> validating nameservers would still be running buggy versions when the
> root is signed.
> But then for the case of the root, it might be sufficient to remind
> people to flush cached entries for "." when they install the trust
> anchor for the root.  I honestly believe that the vast majority of
> operators of validating nameservers would notice such a
> recommendation if it were included in official announcements from IANA.

This is a great suggestion, thanks. We would be very happy to pass on any practical advice of that kind as part of our more general communications work.


More information about the dns-operations mailing list