RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
-
To: "Brett Carr" <>
-
From: Alexander Gall <>
-
Date: Mon, 28 Nov 2005 12:02:49 +0100
On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" brettcarr@localhost said:
>> -----Original Message-----
>> From: Alexander Gall [ ]
>> Sent: 28 November 2005 08:47
>> To: Brett Carr
>>> Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
>>
>> Brett,
>>
>> What's going on with 195.in-addr.arpa? All DNSSEC records
>> are gone, e.g.
>>
> We saw some zone file corruption during the early hours of the morning, this
> caused a failsafe operation to takeover and hence the zones were published
> without signatures. I've investigated and fixed the corruption and so now
> everything is back to normal.
Thanks. Having such a failsafe procedure is probably a good idea.
However, it caused my sub-zone to be marked as bogus, which is bad
(i.e. my cache with only the key for 195.in-addr.arpa configured as
trusted key returned SERVFAIL for all queries within
176.195.in-addr.arpa). I think that you must not leave the DS records
in the zone when all other DNSSEC RRsets are removed (and the DS
record for my zone was definitely there). Otherwise, a verifier will
find a DS record but is unable to check its authenticity and has to
declare the zone as bogus.
--
Alex
|
you are here: RIPE -> RIPE Maillists > Archives
