DLV validation fails after ksk rollover

R Dicaire kritek at gmail.com
Wed Jun 24 01:30:07 UTC 2009


On Tue, Jun 23, 2009 at 8:10 PM, Mark Andrews<marka at isc.org> wrote:
>
>        Even if the update were published on the master instananeously
>        you still need to wait for the zone to transfer to all the
>        slaves and for the old DLV records to timeout of caches.

Even 24 hrs after? My zone ttls are set for 3 hrs. Its now been ~36
hrs since I put the new keys up on DLV, and still they cannot be
validated.
Is this due to the above?

>        DNSSEC changes are not and never will be instaneous.  You
>        either have to change the DLV/DS records in advance of
>        adding keys in or you need to wait for old DNSKEY RRset to
>        timeout before you change your DNSKEY RRset.  You tried to
>        change both at once and that will never work.

I recognize I shouldn't have removed the old keys from DLV as soon as
I'd put the new ones up, I didn't do this on the last ksk rollover.

-- 
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u



More information about the bind-users mailing list