DNSSEC ISSUE (Msg: Request is not signed)
Edward Lewis
Ed.Lewis at neustar.biz
Wed Jul 18 13:07:17 UTC 2007
At 6:30 +0900 7/18/07, Curt Sampson wrote:
>Which is exactly what I do right now. And I can't say I've ever had an
>issue with it. However, this detects neither errors in the protocols
>running above the VPN nor errors in the signing itself. And that makes
>me rather nervous given how much stuff would stop working if my master
>server loaded some incorrectly signed data.
At this point, a lot of folks rely on alcohol to quell the nervousness.
(I say in jest.)
Others rely on reports on NANOG: "Can anyone get to example.com?"
(Not so much in jest.)
I am sure there are tools for checking the contents of the name
server, but none are "popular." There are institutional practices at
large registries to check the zone generation process, but each
solution is internal and hand-crafted.
One practice would be to have a script that runs remotely, looking up
and testing your essential public services.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Think glocally. Act confused.
More information about the bind-users
mailing list