DLV validation fails after ksk rollover
R Dicaire
kritek at gmail.com
Wed Jun 24 01:30:07 UTC 2009
On Tue, Jun 23, 2009 at 8:10 PM, Mark Andrews<marka at isc.org> wrote:
>
> Even if the update were published on the master instananeously
> you still need to wait for the zone to transfer to all the
> slaves and for the old DLV records to timeout of caches.
Even 24 hrs after? My zone ttls are set for 3 hrs. Its now been ~36
hrs since I put the new keys up on DLV, and still they cannot be
validated.
Is this due to the above?
> DNSSEC changes are not and never will be instaneous. You
> either have to change the DLV/DS records in advance of
> adding keys in or you need to wait for old DNSKEY RRset to
> timeout before you change your DNSKEY RRset. You tried to
> change both at once and that will never work.
I recognize I shouldn't have removed the old keys from DLV as soon as
I'd put the new ones up, I didn't do this on the last ksk rollover.
--
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
More information about the bind-users
mailing list