[dns-operations] Implementation of negative trust anchors?

Paul Wouters paul at cypherpunks.ca
Tue Aug 27 16:02:55 UTC 2013

On Tue, 27 Aug 2013, Paul Hoffman wrote:

> On Aug 27, 2013, at 8:27 AM, Joe Abley <jabley at hopcount.ca> wrote:
>> I seem to think actually that all the prominent public failures near the root of the namespace have not been due to zones that were signed incorrectly, but rather botched rollovers, parent DS mismatch, accidental use of an old key, etc.
> That is what most of the sad messages we have seen on the DNSSEC deployment list indicate.

Actually, I think most common has been "expired RRSIGs".

>> I've long wished for a more general facility where upon successful [AI]XFR I could shell out to an arbitrary local executable and do whatever checks I wanted before signalling with exit status that "this zone is ok to serve". With a bit of state held on disk about previous zones you could include some of those temporal checks and perhaps catch a few more problems.
> ...but not all of them.

And yes, once your dead man switch activates, and the newly botched
signed zone is withheld, you _still_ need a monitor system and a human
to address the issue before you end up at "expired RRSIGs" again for
not pushing the botched zones, while your current very old zone is still
being served.


More information about the dns-operations mailing list