I have just set up DNSSEC on bind 9.9.3. I had set up the zone and put a DS record out at the registrar. Several days later I found that I had set up the keys incorrectly using only NSEC verses NSEC3 so i changed the keys. I deleted the old keys and DS record, and had bind resign everything and put out the new DS record. I used some testing sites and things looked good. I then got a message from an administrator at a remote site running bind in strict mode stating my DNSSEC was broken. It turns out he had cached the old info and it had not updated. From this I am guessing that bind does not flush cache if there is a problem like this, it just fails to resolve.
The other question I am attempting to research is what is the best way to do the yearly rekeying and updating of the DS records at the registrar to avoid this in the future. -- Stanley Weilnau _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
