-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I am working on a simple script to test various scenarios, including key and algorithm rollovers, against (bind, unbound, ultradns, verisign, google) resolvers using 510sg.com as a testing domain. A very simple scenario is a bad ksk key rollover, where we:
1) generate ksk,zsk and wait until everyone agrees we have a valid dnssec zone. Get the DS and DNSKEY records cached into the resolver with a reasonably long ttl. 2) generate new keys, throw away the old keys, upload the new DS records to the parent. 3) ask the resolver for test30m.510sg.com, which has a short 1800 second ttl, and should not be in the cache. I would expect that to fail validation, since the old DS/DNSKEY records are cached, but the new RRSIG for test30m.510sg.com has a signature from the new keys. That does fail using bind, unbound, ultradns, and verisign. However, google (8.8.8.8) consistently says that it passes validation. After claiming that test30m.510sg.com passes validation, with the new rrsig, google (8.8.8.8) still returns the old DS and DNSKEY records. My guess is that this inconsistency is caused by load balancing, where the DS and DNSKEY queries are hitting a different backend server than the one that is used for the test30m A query. Would such inconsistencies cause problems for a bind installation that is doing dnssec validation but forwarding to 8.8.8.8 ? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlbUnwAACgkQL6j7milTFsH2bwCeO+wuLztbAfUB/kteSG4nlN6v LSAAnA/6F3JiV17o175ad0jgRhQ18EcV =OCYF -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
