Question about cache reload

Mark Andrews marka at isc.org
Tue Jul 23 01:21:44 UTC 2013 

In message <C27F9ADB-21A3-445D-87BC-A97374E62884 at cnri.reston.va.us>, Stanley We
ilnau writes:
> I have just set up DNSSEC on bind 9.9.3.  I had set up the zone and put a DS 
> record out at the registrar.  Several days later I found that I had set up th
> e keys incorrectly using only NSEC verses NSEC3 so i changed the keys.  I del
> eted the old keys and DS record, and had bind resign everything and put out t
> he new DS record.  I used some testing sites and things looked good.  I then 
> got a message from an administrator at a remote site running bind in strict m
> ode stating my DNSSEC was broken.  It turns out he had cached the old info an
> d it had not updated.  From this I am guessing that bind does not flush cache
> if there is a problem like this, it just fails to resolve.
> 
> The other question I am attempting to research is what is the best way to do 
> the yearly rekeying and updating of the DS records at the registrar to avoid 
> this in the future.
> 
> -- 
> Stanley Weilnau
 
You have NEVER been able to change anything in the DNS instananeously.
DNSSEC just makes that more obvious as you get big breakages instead
of little breakages.

For example when you are changing nameservers the old servers should
be configured to serve the new zone content with the new nameservers
and the old nameservers only get turned off when once all the cached
NS records referring to them have expired.  If you don't do that
caches can continue to query the old servers forever.

Firstly you should not use NSEC3 unless you NEED to use NSEC3, NSEC
is more than sufficient for most zones.  NSEC3 is more expensive
for both servers and clients.  99.999% of zones (forward and reverse)
DO NOT need to use NSEC3.  They derive NO benefit from NSEC3 compared
to using NSEC.  In most case NSEC3 is actually a negative as not
only is is more computationally expensive it is harder to debug.

NSEC3 is pointless for IP6.ARPA, IN-ADDR.ARPA and any other similarly
structured zones.  The structure defeats any attempt to prevent zone
walking.

For most forward zones preventing zone walking does NOTHING except
give warm fuzzy feelings.  It does NOT make your machines any safer.
Yes I know that this is against all the advice you have received
in the past but really it doesn't appreciably help and you are
deluding yourself if you think it does.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list