[dns-operations] [Dnssec-deployment] .uk validation failure

Carlos Martinez-Cagnazzo carlosm3011 at gmail.com
Mon Sep 13 14:54:56 UTC 2010


Looks like a serious operational gotcha to me. I hope we all learn from this
early in the DNSSEC adoption process, otherwise we risk a serious backslash
in the people adopting DNSSEC query validation.

Warm regards

Carlos

On Sun, Sep 12, 2010 at 11:44 AM, Paul Hoffman <paul.hoffman at vpnc.org>wrote:

> At 11:32 AM +0200 9/12/10, Anand Buddhdev wrote:
> >In case anyone is having problems looking up names in .uk, and doesn't
> >know why, here is the reason:
> >
> >http://tinyurl.com/23vreu3
> >
> >I lookup failures on our resolvers last night, and after I noticed that
> >the ZSK in our cache was different from the one served by the .uk
> >servers, I concluded that something had gone wrong with ZSK roll-over,
> >so I flushed our caches.
>
> It would be very useful to hear from someone at Nominet why "the backup
> system did not use the exact same Zone Signing Keys (ZSK)" so that others
> who are using HSMs know what to look out for.
>
> --Paul Hoffman, Director
> --VPN Consortium
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>



-- 
--
=========================
Carlos M. Martinez-Cagnazzo
http://cagnazzo.name
=========================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100913/2760d4ad/attachment.html>


More information about the dns-operations mailing list