Looks like a serious operational gotcha to me. I hope we all learn from this early in the DNSSEC adoption process, otherwise we risk a serious backslash in the people adopting DNSSEC query validation.<div><br></div><div>Warm regards</div>
<div><br></div><div>Carlos<br><br><div class="gmail_quote">On Sun, Sep 12, 2010 at 11:44 AM, Paul Hoffman <span dir="ltr"><<a href="mailto:paul.hoffman@vpnc.org">paul.hoffman@vpnc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">At 11:32 AM +0200 9/12/10, Anand Buddhdev wrote:<br>
>In case anyone is having problems looking up names in .uk, and doesn't<br>
>know why, here is the reason:<br>
><br>
><a href="http://tinyurl.com/23vreu3" target="_blank">http://tinyurl.com/23vreu3</a><br>
><br>
>I lookup failures on our resolvers last night, and after I noticed that<br>
>the ZSK in our cache was different from the one served by the .uk<br>
>servers, I concluded that something had gone wrong with ZSK roll-over,<br>
>so I flushed our caches.<br>
<br>
</div>It would be very useful to hear from someone at Nominet why "the backup system did not use the exact same Zone Signing Keys (ZSK)" so that others who are using HSMs know what to look out for.<br>
<font color="#888888"><br>
--Paul Hoffman, Director<br>
--VPN Consortium<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>--<br>=========================<br>Carlos M. Martinez-Cagnazzo<br><a href="http://cagnazzo.name">http://cagnazzo.name</a><br>=========================<br>
</div>