"Florian Weimer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > * Vinny Abello: > > > I've got two recursive DNS servers running on FreeBSD 7.0 each with > > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken. > > The annual key rollover for dlv.isc.org happened 30 days ago, and the > transition period is now over. You probably failed to perform that > rollover.
I see nothing on the resource https://secure.isc.org/ops/dlv/index.php that tells us that there is a periodic rollover of the key-signing-key for the DLV. I expect that the zone-signing-key ("256") and ONLY that key will be changed every month. The key-signing-key shouldn't be changed very often (if at all). Remember that this is a transitional mechanism that should only be in place for a short number of years. If isc.org is going to change it annually or so, fine, but then let them publish about 4 key-signing-keys, even if only one is actively used. That would be 4 years worth of keys, which should be enough to cover 4+ years - long enough for ICANN to get off their asses and sign the root zone. Might using the wrong key-signing-key as a trusted key be the cause of the assertion failure I reported in a separate thread?
