DLV validation fails after ksk rollover

Mark Andrews marka at isc.org
Wed Jun 24 02:10:16 UTC 2009


In message <e754e90906231830g5d4a465y29251ce27d58acde at mail.gmail.com>, R Dicair
e writes:
> On Tue, Jun 23, 2009 at 8:10 PM, Mark Andrews<marka at isc.org> wrote:
> >
> >        Even if the update were published on the master instananeo=
> usly
> >        you still need to wait for the zone to transfer to all the
> >        slaves and for the old DLV records to timeout of caches.
> 
> Even 24 hrs after? My zone ttls are set for 3 hrs. Its now been ~36
> hrs since I put the new keys up on DLV, and still they cannot be
> validated.
> Is this due to the above?

Yes the updates are slow because we had some disasters with the
automation but we intend to turn that on again soon.  That being
said you really do need to check that the new data has been published
before you start the wait periods.  That is part of the key rollover
protocol.

Automation will eventually do this checking and waiting for you as
the tools get better but for the moment you need to do it.

Note one really should be doing the same sorts of things for
nameservers when they are being changed.  Configure new nameservers
before adding them (A/AAAA/NS).  Wait for the old nameservers
references (A/AAAA/NS) to expire from caches before decomissioning
them.  Have all the nameservers (new and old) for the zone serve
the same content.  Failure to do this also causes problems.

Note you are not alone here.  Others have done the same sort of
thing before even those that should have known better.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list