Re: [DNSOP] .PR servfails due to wrong key in DLV
In message , Paul Wout ers writes: > On Tue, 8 Sep 2009, Stephane Bortzmeyer wrote: > > [added dnsop@ietf.org to the reply] > > > Subject: [Unbound-users] .PR servfails with Unbound but not with BIND > > > % dig SOA pr. > > > I get the key through DLV. > > It's outdated and wrong and missing the new key. > > On Aug 19 2009, pr added this key: > > > PR. IN DNSKEY 257 3 5 AwEAAeDPv9lQ7Ej5Ld9Fz/FKLhdOajwtEXsWykj65ugIa4Di1nY6t > i9n > dkeR4kp1aSNlvf6N7KsjunfMJj4SccBwcY77DrxmQ+g9nI09ePMZvxF2 > U63Lv9BftGaIguYdkYZVSwHd1q7DdXqNkLaD4tZEHiN0h/3wBdTQUPH1 > IoskD1vGxiPw2egftk6sVQdvOJWaAgSpmG0eq+/e90WVTNX4/xhA17Pr > dQQJIheZQ3+EsDoil8kyJZC12KoHYpFklx7+aCiR2u8Fumy6ARFR4PP0 > n7bnBaKOgMpVzz+KI79a3USDkj9RhNog50iSWgaBM75Xu0IBNEpcCVYZ > YjwDESgiDXc= > > And on Sep 4 2009, pr removed this keys: > > < PR. IN DNSKEY 257 3 5 AwEAAc6SkFSHw00wJFUWd1Td/efsxhfX+UTrxrzqQXNuZ8Qj2PiP6 > p/m > BxysJt06XgSCB41CPhkgvgqrtdaJ/hXKG81xNXUcGfqvV9wYMJnN+oBB > /lLaQU/39fWaNc4fBGiRI2dNDVKPry2YX6y04YrEGRM+wf6HWHVdW1Js > xuMuDOSr Which is a ridiculously short key rollover period (16 days) when the parent is not signed. Lots of tracking of TLD keys is completely manual. > > % dig DLV pr.dlv.isc.org. > > > ;; ANSWER SECTION: > > pr.dlv.isc.org. 3255IN DLV 62704 5 2 57E017A982196 > D194B3F52CDD39F86A9A33DED75064F285A9242BA7A 448A659C > > pr.dlv.isc.org. 3255IN DLV 62704 5 1 AFA72CB11D4C9 > 7657D82338AF6D569ED614166EB > > These are the old key, and that DLV record should be removed. The new DLV rec > ord should be: > > pr.dlv.isc.org. IN DLV 6277 5 2 6966580bb25c608540e8224039561c7b2a1488d1f927c > 5cdbd137f4ef3d31528 > pr.dlv.isc.org. IN DLV 6277 5 1 05d02dce8385974d958a5db409f6ff3658293b2 > > I guess we need a MUCH better communication method between TLD's, iTAR and IS > C's DLV. This is bad. > > Paul > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] .PR servfails due to wrong key in DLV
On Tue, Sep 08, 2009 at 09:56:58AM -0700, David Conrad wrote a message of 33 lines which said: > Out of curiosity (since I'm not on the unbound-users list), why did it > work with BIND and not Unbound? Probably a caching effect and not a real difference between the resolvers. My BIND resolver now fails as well. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] .PR servfails due to wrong key in DLV
Hi, On Sep 8, 2009, at 8:58 AM, Paul Wouters wrote: Subject: [Unbound-users] .PR servfails with Unbound but not with BIND % dig SOA pr. I get the key through DLV. It's outdated and wrong and missing the new key. Out of curiosity (since I'm not on the unbound-users list), why did it work with BIND and not Unbound? I guess we need a MUCH better communication method between TLD's, iTAR and ISC's DLV. This is bad. 3 points: 1) Get used to these sorts of failures. In the universe of TLD operators, there are a non-trivial number that have limited technical skills. I can easily imagine folks hiring consultants who come in, set up DNSSEC, and then leave. Time passes, keys expire, servers change, etc. 2) ISC redistributes the ITAR without any formal or even informal interaction with the ICANN staff that runs the ITAR. In some particularly unpleasant (at least to me) alternative universe, there could be a myriad of DLV registries. How should ICANN interact with these DLV registries? 3) Of course, DLV deals with more than TLDs so you can probably take point (1) above and multiply the fun by some non-trivial amount. Regards, -drc ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
