[dns-wg] Just another lookaside zone
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] DNS Misbehavior Doc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Roy.Arends at nominet.org.uk
Roy.Arends at nominet.org.uk
Tue Feb 14 15:04:50 CET 2006
dns-wg-admin at ripe.net wrote on 14-02-2006 12:16:57: > * Lutz Donnerhacke wrote: > > In order to extend the deployment of security technology, we switch to > > DNSSEC for us and our customers. [...] This is the reason why, we set > > up an other DLV zone. > > Please do *not* try to use this zone with any public available bind version. > There is a bug in long time behaivor of the caching algorithms. Invalidating > of cache entries occurs unrelated to DNSSEC. This causes invalidating of any > signed entries over the time. The race condition caused by cache > invalitation is large enough to hit the lookaside zone itself after some > hours on a busy server. Normal usage hits the problem after some days. Due > to the bind architecture, even authorized servers can be unable to deliver > there own data. > > Look for "empty name resolving" entries in the logfiles. > > Unfortunly there is no working DNSSECable DNS server software out at all. Try unbound as a validating DNSSEC resolver. http://www.rfc.se/unbound Roy
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] DNS Misbehavior Doc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]