[dns-operations] [Dnssec-deployment] .uk validation failure
carlosm3011 at gmail.com
Mon Sep 13 14:54:56 UTC 2010
Looks like a serious operational gotcha to me. I hope we all learn from this
early in the DNSSEC adoption process, otherwise we risk a serious backslash
in the people adopting DNSSEC query validation.
On Sun, Sep 12, 2010 at 11:44 AM, Paul Hoffman <paul.hoffman at vpnc.org>wrote:
> At 11:32 AM +0200 9/12/10, Anand Buddhdev wrote:
> >In case anyone is having problems looking up names in .uk, and doesn't
> >know why, here is the reason:
> >I lookup failures on our resolvers last night, and after I noticed that
> >the ZSK in our cache was different from the one served by the .uk
> >servers, I concluded that something had gone wrong with ZSK roll-over,
> >so I flushed our caches.
> It would be very useful to hear from someone at Nominet why "the backup
> system did not use the exact same Zone Signing Keys (ZSK)" so that others
> who are using HSMs know what to look out for.
> --Paul Hoffman, Director
> --VPN Consortium
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
Carlos M. Martinez-Cagnazzo
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations