[dns-operations] BIND validation problem with some DE zones [was: Operational Note -- DNSSEC for DE]
Chris Thompson
cet1 at cam.ac.uk
Thu May 26 21:55:32 UTC 2011
On May 24 2011, Michael Graff wrote:
>For now, I'll suspend the .de child zones in our DLV database. I would
>like to leave one "live" if at all possible to assist in testing and
>diagnosing this.
>
>If someone has a zone they are OK with breaking for some people for a
>bit, please let me know what it is so I can white-list it.
In the absence of such a sacrificial chicken^Wzone, I have set up the
following:
* child.dnssec-bug.csi.cam.ac.uk is a signed zone registered in dlv.isc.org.
* the parent zone dnssec-bug.csi.cam.ac.uk is not signed, but contains a
DS record for child.dnssec-bug.csi.cam.ac.uk to go with the NS records.
This is enough to provoke the problem: I think anything that prevents the
DS record being validated (absence of an RRSIG here, obscured DNSKEYs in
the "de" case) will do.
I have a BIND patch from ISC against bug report 24631 which apparently
fixes the problem (it works for child.dnssec-bug.csi.cam.ac.uk anyway).
I will refrain from posting it here pending permission from ISC. (Not
that we could expect many BIND instances to get fixed before DENIC
unobscure the "de" DNSKEYs, anyway.)
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list