DNSSEC ISSUE (Msg: Request is not signed)

Edward Lewis Ed.Lewis at neustar.biz
Wed Jul 18 13:07:17 UTC 2007

At 6:30 +0900 7/18/07, Curt Sampson wrote:

>Which is exactly what I do right now. And I can't say I've ever had an
>issue with it. However, this detects neither errors in the protocols
>running above the VPN nor errors in the signing itself. And that makes
>me rather nervous given how much stuff would stop working if my master
>server loaded some incorrectly signed data.

At this point, a lot of folks rely on alcohol to quell the nervousness.

(I say in jest.)

Others rely on reports on NANOG: "Can anyone get to example.com?"

(Not so much in jest.)

I am sure there are tools for checking the contents of the name 
server, but none are "popular."  There are institutional practices at 
large registries to check the zone generation process, but each 
solution is internal and hand-crafted.

One practice would be to have a script that runs remotely, looking up 
and testing your essential public services.

Edward Lewis                                                +1-571-434-5468

Think glocally.  Act confused.

More information about the bind-users mailing list