Issues resolving outlook.office365.com
Thomas Sturm
tst at open.ch
Tue Jul 12 07:15:45 UTC 2016
Please also note that the below test is successful with a prefetch value of 0. To me this really looks like prefetching forgets to update RRSIGs.
Thomas
> On 06.07.2016, at 15:29, Thomas Sturm <tst at open.ch> wrote:
>
> Hi Mark,
>
> I may have found another (possibly related?) bug:
>
> I noticed that when validating a signed zone using delv by querying a local BIND caching server (v9.10.3-P4), it sometimes suddenly alerts "no valid RRSIG”. Indeed, when querying “dig ds mydomain +dnssec", it returns the DS records, but no RRSIG at all. The following sequence of commands (output simplified) makes me think this might be related to prefetch/cache expiry as well (prefetch value 2):
>
> $ while true; do dig ds mydomain; sleep 1; done
> ;; ANSWER SECTION:
> mydomain. 3 IN DS […]
> mydomain. 3 IN DS […]
> mydomain. 3 IN RRSIG DS […]
>
> ;; ANSWER SECTION:
> mydomain. 3600 IN DS […]
> mydomain. 3600 IN DS […]
> mydomain. 2 IN RRSIG DS […]
>
> ;; ANSWER SECTION:
> mydomain. 3599 IN DS […]
> mydomain. 3599 IN DS […]
> mydomain. 1 IN RRSIG DS […]
>
> ;; ANSWER SECTION:
> mydomain. 3598 IN DS […]
> mydomain. 3598 IN DS […]
> mydomain. 0 IN RRSIG DS […]
>
> ;; ANSWER SECTION:
> mydomain. 3597 IN DS […]
> mydomain. 3597 IN DS […]
>
>
> What’s your take on this?
>
> Regards,
> Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4117 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160712/892e885b/attachment.bin>
More information about the bind-users
mailing list