named stops resolving anything -- dnssec issue
Chuck Anderson
cra at WPI.EDU
Sun Apr 5 16:04:11 UTC 2009
On Sun, Apr 05, 2009 at 12:00:34PM -0400, Mail Lists wrote:
> On 04/05/2009 09:17 AM, Chuck Anderson wrote:
>
> >> It appears that the DNSSEC key on the root servers has changed, but I
> >> have forgotten how to download the root keys. I'll have to dredge
> >> through the manpages to remember. For now, I, too, have had to disable
> >> DNSSEC.
>
> (1) I assume there must be a clear and robust mechanism to enable keys
> to change (since they all expire) without causing DNS outages ?
>
> What is the mechanism ? Or does one need to be created. I would assume
> that the keys can both be valid for some overlapping period of time for
> example - or that the older key can approve the newer key so the update
> is automatic (less secure but way more robust than any hand required
> method). Perhaps yum can play a role ?
>
> I cannot imagine a world where the world stops every time a key
> updates ..
>
> >
> > There was an outage on dlv.isc.org that has now been repaired
> > according to folks at the ISC.
>
> (2) Why would one server prevent bind from working at all ?
Because DNSSEC is still in it's infancy w.r.t. production deployment
on the Internet. The powers that be still haven't signed the root
zone, and most TLD zones aren't signed either. So we have to live
with the hack known as DLV for now, and there isn't much robustness in
that service yet.
More information about the fedora-test-list
mailing list