[dns-operations] Problems with .gov

Casey Deccio casey at deccio.net
Mon Jan 31 17:48:56 UTC 2011

On Mon, Jan 31, 2011 at 8:52 AM, David Blacka <davidb at verisign.com> wrote:
> On Jan 31, 2011, at 10:13 AM, Creighton, Tom wrote:
>> Anyone else having problems?
>> http://dnsviz.net/d/noaa.gov/dnssec/
>> http://dnsviz.net/d/noaa.gov/dnssec/
> I see warnings on dnsviz.net, but I don't see any actual validation problems.  (You can also try the Verisign Labs debugger just to double check: http://dnssec-debugger.verisignlabs.com/noaa.gov)

> What you are seeing is the KSK (and ZSK) key roll as part of the .gov transition to Verisign.  The errors shown on dnsviz.net are (I think) caused by a timing effect:

Yes from my vantage point it simply looked like propagation delay.  At
the time the .gov snapshot was taken, there were two versions of the
SOA being served by the servers because the new zone version hadn't
propagated to all the new servers.

(disclaimer: these URLs may not work in the future, as I'm still
working out how to best handle history in DNSViz.  I include it only
for reference for this thread.)

>  signatures by the older KSK and ZSK are going to expire in less than the TTL values over those RRsets (1 day), hence the warning.  This should cause those RRsets to be cached for less than a day (i.e., not cached beyond the expiration.)

True, but only by validating resolvers.

> The new KSK, ZSK, and parent DS have all been pre-published, so when RRsets are fetched from the new .gov zone being published momentarily, there should be no validation issues.

Yes, because there seemed to be a valid chain in both the new and old
versions of the zone, the only potential issue I saw was in fact the
RRSIG expiration prior to TTL expiration, which is only an issue with
non-validating resolvers--well, those that are upstream caches for
validating resolvers.


More information about the dns-operations mailing list