On Thu, Feb 23, 2012 at 2:47 PM, Mark Andrews <ma...@isc.org> wrote: > > There was a issues with the delegation of some zones. NS records > were not added to the parent zone when they should have been but > the scripts which sign the zones added DS records which caused the > parent zone not to be resigned. The signatures for the parent zone > eventually expired which caused resolution failures for all the > children of the parent zone rather than just the zones with a broken > delegation. > > The scripts that sign the zones did report the error but those > reports were overlooked. > > Operations is looking at their proceedures and what additional > checking can be done to prevent a repeat.
I've seen several places, mostly in .gov bitten by this one and I'll admit that it almost caught me, but the fact that the ISC tripped over this says volumes about how careful people have to be about handling details when DNSSEC is added. It simply can't be the "set and forget" DNS of the past, at least not until and unless tools become far more bullet-proof. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
