[dns-operations] BIND validation problem with some DE zones [was: Operational Note -- DNSSEC for DE]

Chris Thompson cet1 at cam.ac.uk
Thu May 26 21:55:32 UTC 2011

On May 24 2011, Michael Graff wrote:

>For now, I'll suspend the .de child zones in our DLV database.  I would
>like to leave one "live" if at all possible to assist in testing and
>diagnosing this.
>If someone has a zone they are OK with breaking for some people for a
>bit, please let me know what it is so I can white-list it.

In the absence of such a sacrificial chicken^Wzone, I have set up the

 * child.dnssec-bug.csi.cam.ac.uk is a signed zone registered in dlv.isc.org.
 * the parent zone dnssec-bug.csi.cam.ac.uk is not signed, but contains a
    DS record for child.dnssec-bug.csi.cam.ac.uk to go with the NS records.

This is enough to provoke the problem: I think anything that prevents the
DS record being validated (absence of an RRSIG here, obscured DNSKEYs in
the "de" case) will do.

I have a BIND patch from ISC against bug report 24631 which apparently
fixes the problem (it works for child.dnssec-bug.csi.cam.ac.uk anyway).
I will refrain from posting it here pending permission from ISC. (Not
that we could expect many BIND instances to get fixed before DENIC
unobscure the "de" DNSKEYs, anyway.)

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list