ISC DLV dnssec

R Dicaire kritek at
Sun Apr 5 21:54:48 UTC 2009

On Sun, Apr 5, 2009 at 5:40 PM, Mark Andrews <Mark_Andrews at> wrote:
>> Shouldn't the behaviour for DLV lookups be such that if the query
>> can't be answered by the DLV server, then fall back to a non-dnssec
>> lookup?
>        No.

May I ask why?
I'm sure something was learned from whatever caused the DLV server to
malfunction, but was that kind of malfunction something we can look
forward to when . and TLDs are signed?
If that kind of breakage in lookups can occur, should there not be a
contingency to be able to continue to use the Internet when such
breakage occurs?
I could see online businesses panicking when something like this happens.

>        There was a fault which caused RRSIG of the key signing key
>        to be missing.  The key signing key is the one listed in
>        the trusted-keys clause above.  This caused a break in the
>        chain of trust as the DNSKEY RRset could not be validated
>        which meant named could not determine if the answers to the
>        DLV queries were valid or not and in turn the answers to
>        all other queries.

Could you provide more details as to what specifically caused the fault?
Perhaps then other dns admins may learn something new to look for when
having to troubleshoot a similar problem. I know it would help me
further understand.


aRDy Music and Rick Dicaire present:

More information about the bind-users mailing list