Also stop hiding this breakage. Knot and unbound ignore the NSEC records which trigger this when synthesising. All it does is push the problem down the road and makes it harder for others to do proper synthesis based on the records returned.
-- Mark Andrews > On 1 Dec 2021, at 18:36, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote: > > >> >> It is clear from the blog post that this is a fairly sophisticated >> group of ops people, who had a reasonable test plan, a bunch of test >> points set up in dnsviz and so forth. Neither of these bugs seem >> very exotic, and could have been caught by routine tests. > > It not clear to whether or not they did ZSK and KSK key rollovers > on test zones and on minor zones. If they didn't, thats a good way to > get in trouble later on. > > The main lesson learned from this incident seems to be to always create > a test zone with content identical to that of the main zone and fully > test that zone. > > A common lesson, also not mentioned, is to have low TTLs for stuff you > control. It would not have helped with the DS record. But the discussion > about the ZSK being lost would have been helped with a low TTL in the DNSKEY > RR set. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
