named stops resolving anything -- dnssec issue

Chuck Anderson cra at WPI.EDU
Sun Apr 5 16:04:11 UTC 2009


On Sun, Apr 05, 2009 at 12:00:34PM -0400, Mail Lists wrote:
> On 04/05/2009 09:17 AM, Chuck Anderson wrote:
> 
> >> It appears that the DNSSEC key on the root servers has changed, but I  
> >> have forgotten how to download the root keys. I'll have to dredge  
> >> through the manpages to remember. For now, I, too, have had to disable  
> >> DNSSEC.
> 
>   (1) I assume there must be a clear and robust mechanism to enable keys
> to change (since they all expire) without causing DNS outages ?
> 
>   What is the mechanism ? Or does one need to be created. I would assume
> that the keys can both be valid for some overlapping period of time for
> example - or that the older key can approve the newer key so the update
> is automatic (less secure but way more robust than any hand required
> method). Perhaps yum can play a role ?
> 
>   I cannot imagine a world where the world stops every time a key
> updates ..
> 
> > 
> > There was an outage on dlv.isc.org that has now been repaired 
> > according to folks at the ISC.
> 
>   (2) Why would one server prevent bind from working at all ?

Because DNSSEC is still in it's infancy w.r.t. production deployment 
on the Internet.  The powers that be still haven't signed the root 
zone, and most TLD zones aren't signed either.  So we have to live 
with the hack known as DLV for now, and there isn't much robustness in 
that service yet.




More information about the fedora-test-list mailing list