lists.isc.org rDNS failed, DNSSEC?
Kevin Oberman
kob6558 at gmail.com
Thu Feb 23 23:20:30 UTC 2012
On Thu, Feb 23, 2012 at 2:47 PM, Mark Andrews <marka at isc.org> wrote:
>
> There was a issues with the delegation of some zones. NS records
> were not added to the parent zone when they should have been but
> the scripts which sign the zones added DS records which caused the
> parent zone not to be resigned. The signatures for the parent zone
> eventually expired which caused resolution failures for all the
> children of the parent zone rather than just the zones with a broken
> delegation.
>
> The scripts that sign the zones did report the error but those
> reports were overlooked.
>
> Operations is looking at their proceedures and what additional
> checking can be done to prevent a repeat.
I've seen several places, mostly in .gov bitten by this one and I'll
admit that it almost caught me, but the fact that the ISC tripped over
this says volumes about how careful people have to be about handling
details when DNSSEC is added. It simply can't be the "set and forget"
DNS of the past, at least not until and unless tools become far more
bullet-proof.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com
More information about the bind-users
mailing list