lists.isc.org rDNS failed, DNSSEC?

Vinny_Abello at Dell.com Vinny_Abello at Dell.com
Fri Feb 24 04:48:14 UTC 2012 

I kind of had the same thought... If ISC had a DNS outage due to expired signatures of a zone, what chance do I have in successfully deploying and maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I think it speaks volumes to the inherent complexity and the further need for simplifying the maintenance of signed zones. I know that progress is continually being made on this front and I think others agree... Just pointing it out again. I have nothing against DNSSEC, personally. I'd love to deploy it. I just don't have the time to maintain it or worry about maintaining it right now.

-Vinny

-----Original Message-----
From: bind-users-bounces+vinny_abello=dell.com at lists.isc.org [mailto:bind-users-bounces+vinny_abello=dell.com at lists.isc.org] On Behalf Of Kevin Oberman
Sent: Thursday, February 23, 2012 6:21 PM
To: Mark Andrews
Cc: bind-users at isc.org
Subject: Re: lists.isc.org rDNS failed, DNSSEC?

On Thu, Feb 23, 2012 at 2:47 PM, Mark Andrews <marka at isc.org> wrote:
>
> There was a issues with the delegation of some zones.  NS records
> were not added to the parent zone when they should have been but
> the scripts which sign the zones added DS records which caused the
> parent zone not to be resigned.  The signatures for the parent zone
> eventually expired which caused resolution failures for all the
> children of the parent zone rather than just the zones with a broken
> delegation.
>
> The scripts that sign the zones did report the error but those
> reports were overlooked.
>
> Operations is looking at their proceedures and what additional
> checking can be done to prevent a repeat.

I've seen several places,  mostly in .gov bitten by this one and I'll
admit that it almost caught me, but the fact that the ISC tripped over
this says volumes about how careful people have to be about handling
details when DNSSEC is added. It simply can't be the "set and forget"
DNS of the past, at least not until and unless tools become far more
bullet-proof.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list