[dns-operations] [Dnssec-deployment] .uk validation failure

Sue True bloomingtonian at gmail.com
Mon Sep 13 15:46:29 UTC 2010


We have 9.7.0-P2 with DNSSEC validation enabled and several of our 
internal named died Saturday during the time  they had ZSK problem.

The only clue I can find is hundreds of dnssec validation deadlock logged 
before named decided to quit:

Sep 11 12:00:31 nameserver kernel: named[15795] general protection rip:2aaab72a0fac rsp:41b97030 error:0

11-Sep-2010 12:00:02.779 dnssec: debug 3:  validating @0x2aaabf53c790: 
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk NSEC3: continuing validation would lea 
d to deadlock: aborting validation

11-Sep-2010 12:00:02.779 dnssec: debug 3:  validating @0x2aaabf53c790: 
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk NSEC3: deadlock found (create_fetch)



Thanks,
Sue

On Mon, 13 Sep 2010, Carlos Martinez-Cagnazzo wrote:

> Looks like a serious operational gotcha to me. I hope we all learn from this early in the DNSSEC adoption process, otherwise we
> risk a serious backslash in the people adopting DNSSEC query validation.
> Warm regards
> 
> Carlos
> 
> On Sun, Sep 12, 2010 at 11:44 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>       At 11:32 AM +0200 9/12/10, Anand Buddhdev wrote:
>       >In case anyone is having problems looking up names in .uk, and doesn't
>       >know why, here is the reason:
>       >
>       >http://tinyurl.com/23vreu3
>       >
>       >I lookup failures on our resolvers last night, and after I noticed that
>       >the ZSK in our cache was different from the one served by the .uk
>       >servers, I concluded that something had gone wrong with ZSK roll-over,
>       >so I flushed our caches.
> 
> It would be very useful to hear from someone at Nominet why "the backup system did not use the exact same Zone Signing
> Keys (ZSK)" so that others who are using HSMs know what to look out for.
> 
> --Paul Hoffman, Director
> --VPN Consortium
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> 
> 
> 
> --
> --
> =========================
> Carlos M. Martinez-Cagnazzo
> http://cagnazzo.name
> =========================
> 
>
-------------- next part --------------
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations


More information about the dns-operations mailing list