I'll be reporting this to bind-bugs, but I thought I would mention it here in case others can confirm the effect.
Our two main ecursive nameservers used DNSSEC validation via dlv.isc.org. In the past we have had suspicions that there are glitches when new entries appear in the DLV zone. For example, we got reports that users were temporarily unable to access CERN web sites on the morning that "cz" went into dlv.isc.org. So I have been waiting with some trepidation for "arpa" to go in, although I held out the hope that any bugs of this sort would have been fixed by BIND 9.6.2, which we are now using. Well, it seems that they haven't. "arpa" went into dlv.isc.org this morning, and by the time I noticed that, one of the nameservers was giving SERVFAILs for many reverse lookups until I did an "rndc flushname arpa" on it. The other seemed OK, but I suspect it had been giving such SERVFAILs earlier. Of course, in an ideal world I would have taken cache dumps, etc, but these are operationally significant servers and it was more important to get reverse lookup working again asap. -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
