[dns-operations] Comcast Begins DNSSEC Rollout

Griffiths, Chris Chris_Griffiths at Cable.Comcast.com
Tue Oct 19 21:49:23 UTC 2010


On 10/19/10 11:22 AM, "Casey Deccio" <casey at deccio.net> wrote:


>On Tue, Oct 19, 2010 at 5:56 AM, Griffiths, Chris
><Chris_Griffiths at cable.comcast.com> wrote:
>> We are not using DLV to validate zones on our recursive resolvers, we
>>are
>> only using the root key as our trust anchor to validate.
>
>Actually, it appears that the servers are using DLV (or some other
>trust anchor at debian.org)... or returning the AD bit without
>actually validating:
>
>$ dig +dnssec www.debian.org @75.75.75.75
>
>
>debian.org is not currently linked securely to .org, but is only in
>ISC DLV.  Note that responses for .gov names (also not yet linked to
>the root zone) are also returning the AD bit (as appropriate).
>
>> That being said,
>> there appears to be an issue with couple of cached names on that
>> particular node and we will take a look.
>>
>
>When I queried (last night) with the +cd flag, I received a response,
>so whatever the issue, it did seem to be DNSSEC-related.

The servers are definitely not using DLV or the DLV key to validate, and
the issue we had on the one server was a configuration issue where we had
some older keys being used along with the Root key.  We corrected this
issue on that server and resolution returned back to normal on that one
node.

As for debian.org, I am looking into the AD bit set with no trust anchor
in ORG. It seems odd, and we will keep digging.

Thanks

Chris
Comcast




More information about the dns-operations mailing list