[dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Mon Nov 28 12:02:49 CET 2005
On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" <brettcarr at ripe.net> said: >> -----Original Message----- >> From: Alexander Gall [mailto:gall at switch.ch] >> Sent: 28 November 2005 08:47 >> To: Brett Carr >> Cc: dns-wg at ripe.net >> Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. >> >> Brett, >> >> What's going on with 195.in-addr.arpa? All DNSSEC records >> are gone, e.g. >> > We saw some zone file corruption during the early hours of the morning, this > caused a failsafe operation to takeover and hence the zones were published > without signatures. I've investigated and fixed the corruption and so now > everything is back to normal. Thanks. Having such a failsafe procedure is probably a good idea. However, it caused my sub-zone to be marked as bogus, which is bad (i.e. my cache with only the key for 195.in-addr.arpa configured as trusted key returned SERVFAIL for all queries within 176.195.in-addr.arpa). I think that you must not leave the DS records in the zone when all other DNSSEC RRsets are removed (and the DS record for my zone was definitely there). Otherwise, a verifier will find a DS record but is unable to check its authenticity and has to declare the zone as bogus. -- Alex
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]