[dns-operations] DNSSEC problem with 174.in-addr.arpa
Anand Buddhdev
anandb at ripe.net
Mon Nov 18 10:13:11 UTC 2013
On 17/11/2013 18:57, Chris Thompson wrote:
Hi Chris,
> As a matter of interest to many of us, what are ARIN's operational
> procedures for interlocking KSK rollovers in NNN.in-addr.arpa zones
> with the change of DS records in in-addr.arpa?
>
> (Of course we could ask the same question of the other RIRs as well...)
I haven't understood your question fully, but let me try answering.
The RIPE NCC's procedure involves removing the old DS records, and
inserting the new ones, in a single transaction, when we do KSK
roll-overs. This saves us from having to do double the work.
Last week, we began KSK roll-overs for all the RIPE NCC's zones. We
began a slow start by updating the DS records for just 2.in-addr.arpa.
However, our update did not appear in the in-addr.arpa zone. Our DNSSEC
signer will not withdraw the old KSK until it has seen the new DS
record, so it patiently kept waiting and logging this fact. We informed
ICANN, and they fixed the operational issue in their provisioning system
that was blocking the update. We expect to update the DS records of all
zones this week.
Regards,
Anand Buddhdev
RIPE NCC
More information about the dns-operations
mailing list