Hi folks...Yesterday I performed a DNSSEC KSK rollover, updated DLV with the new keys, and confirmed successful updates to DLV via their script. According to DLV all zones are good. Upon completing this, I then removed the old keys from the DLV db for each zone I have registered. Now when I attempt to validate lookups against DLV, the lookups fail. To test lookup I was using:
dig +dnssec www.kritek.net aaaa Here's the logging output using debug 3 for dnssec: http://www.ardynet.com/kritek-dlv-fail.txt I don't know the frequency that DLV updates its records, so I don't know if this is simply a matter of waiting for them to update (its been ~24 hours since I completed the ksk rollover, and updated DLV with the new keys), or if there's a configuration issue at my end, or if I deleted my old keys from DLV too soon. Which begs another question: I recall reading in an RFC that there were a couple or three different "policies" regarding the manner of ksk rollovers, one being pre-publish, is this the method best suited for DLV use? The last time I performed a ksk rollover, I didn't immediately remove the old keys fom DLV, and I suspect this might be the cause for my current lookup issues. Everything used locally is bind 9.6.1 on slackware linux 12.0/12.1 and freebsd 7.2 I'm not sure how to further troubleshoot DLV lookup problems. Any help/pointers/etc would be greatly appreciated. Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
