dnssec lookaside to dlv.isc.org broke recursion

[Mark Andrews]

In message <gdqp0v$57o$1 at snarked.org>, "D. Stussy" writes:
> "Florian Weimer" <fw at deneb.enyo.de> wrote in message
> news:gdqfih$l14$1 at sf1.isc.org...
> > * Vinny Abello:
> >
> > > I've got two recursive DNS servers running on FreeBSD 7.0 each with
> > > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken.
> >
> > The annual key rollover for dlv.isc.org happened 30 days ago, and the
> > transition period is now over.  You probably failed to perform that
> > rollover.
> 
> I see nothing on the resource https://secure.isc.org/ops/dlv/index.php that
> tells us that there is a periodic rollover of the key-signing-key for the
> DLV.  I expect that the zone-signing-key ("256") and ONLY that key will be
> changed every month.  The key-signing-key shouldn't be changed very often
> (if at all).  Remember that this is a transitional mechanism that should
> only be in place for a short number of years.

	See DLV Registry Policy and Practice which is linked off of
	that page.

	https://secure.isc.org/ops/dlv/dlv-pol-pract-v1.0.php

	The trusted keys have always been described as

		"The current DLV KSK public key"

	Which should also be a clear indication that they change.

	Adding a "next scheduled key rollover commencement date" may
	be useful.   Note there can always be emergency key rollover
	events so you should be subscribed to the announcement list.

	Mark

> If isc.org is going to change it annually or so, fine, but then let them
> publish about 4 key-signing-keys, even if only one is actively used.  That
> would be 4 years worth of keys, which should be enough to cover 4+ years -
> long enough for ICANN to get off their asses and sign the root zone.
> 
> Might using the wrong key-signing-key as a trusted key be the cause of the
> assertion failure I reported in a separate thread?
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org