On Mar 27 2010, Michael Sinatra wrote:
On 03/25/10 05:21, Chris Thompson wrote:
I'll be reporting this to bind-bugs, but I thought I would mention it here
in case others can confirm the effect.
Our two main ecursive nameservers used DNSSEC validation via dlv.isc.org.
In the past we have had suspicions that there are glitches when new entries
appear in the DLV zone. For example, we got reports that users were
temporarily unable to access CERN web sites on the morning that "cz"
went into dlv.isc.org.
I saw the same effect within the GOV domain, when the GOV trust-anchor
was re-added to the ISC DLV last May:
https://lists.dns-oarc.net/pipermail/dns-operations/2009-May/003867.html
This is not a DLV-only issue; my experience is that it also affects
manually (or semi-automatically via scripts that modify
named-trustedkeys) updated trust-anchors. 'rndc flush' is necessary to
fix it.
If that's a requirement it ought to be documented. But of course there
is a difference: at least you know when you are changing trust anchors:
there's no way you can protect yourself against the sudden appearance of
a DLV (or DS) record in someone else's zone!
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
