In message <c27f9adb-21a3-445d-87bc-a97374e62...@cnri.reston.va.us>, Stanley We ilnau writes: > I have just set up DNSSEC on bind 9.9.3. I had set up the zone and put a DS > record out at the registrar. Several days later I found that I had set up th > e keys incorrectly using only NSEC verses NSEC3 so i changed the keys. I del > eted the old keys and DS record, and had bind resign everything and put out t > he new DS record. I used some testing sites and things looked good. I then > got a message from an administrator at a remote site running bind in strict m > ode stating my DNSSEC was broken. It turns out he had cached the old info an > d it had not updated. From this I am guessing that bind does not flush cache > if there is a problem like this, it just fails to resolve. > > The other question I am attempting to research is what is the best way to do > the yearly rekeying and updating of the DS records at the registrar to avoid > this in the future. > > -- > Stanley Weilnau You have NEVER been able to change anything in the DNS instananeously. DNSSEC just makes that more obvious as you get big breakages instead of little breakages.
For example when you are changing nameservers the old servers should be configured to serve the new zone content with the new nameservers and the old nameservers only get turned off when once all the cached NS records referring to them have expired. If you don't do that caches can continue to query the old servers forever. Firstly you should not use NSEC3 unless you NEED to use NSEC3, NSEC is more than sufficient for most zones. NSEC3 is more expensive for both servers and clients. 99.999% of zones (forward and reverse) DO NOT need to use NSEC3. They derive NO benefit from NSEC3 compared to using NSEC. In most case NSEC3 is actually a negative as not only is is more computationally expensive it is harder to debug. NSEC3 is pointless for IP6.ARPA, IN-ADDR.ARPA and any other similarly structured zones. The structure defeats any attempt to prevent zone walking. For most forward zones preventing zone walking does NOTHING except give warm fuzzy feelings. It does NOT make your machines any safer. Yes I know that this is against all the advice you have received in the past but really it doesn't appreciably help and you are deluding yourself if you think it does. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
