On Nov 18 2013, Anand Buddhdev wrote:
On 17/11/2013 18:57, Chris Thompson wrote:
Hi Chris,
As a matter of interest to many of us, what are ARIN's operational
procedures for interlocking KSK rollovers in NNN.in-addr.arpa zones
with the change of DS records in in-addr.arpa?
(Of course we could ask the same question of the other RIRs as well...)
I haven't understood your question fully, but let me try answering.
I think you have addressed exactly the point I had in mind.
The RIPE NCC's procedure involves removing the old DS records, and
inserting the new ones, in a single transaction, when we do KSK
roll-overs. This saves us from having to do double the work.
Last week, we began KSK roll-overs for all the RIPE NCC's zones. We
began a slow start by updating the DS records for just 2.in-addr.arpa.
However, our update did not appear in the in-addr.arpa zone. Our DNSSEC
signer will not withdraw the old KSK until it has seen the new DS
record, so it patiently kept waiting and logging this fact. We informed
ICANN, and they fixed the operational issue in their provisioning system
that was blocking the update. We expect to update the DS records of all
zones this week.
It's the "wait for the new DS record(s) to appear in the parent zone"
step (rather than "perform the action that will (should) cause them
to appear and then assume that will happen in a timely fashion") that
seems to be the critical point. Maybe I am misinterpreting Matt Rowley's
messages, but it sounded as if this was how the problem with
174.in-addr.arpa happened.
One can still argue as to whether one should ratchet up one's degree
of paranoia further, though. Published at *all* authoritative nameservers
for the parent zone, or just one? (And "all" may be difficult to check
when anycast configurations are in use.) Should one allow for the
possibility that the parent zone might revert to an earlier version,
and if so for how long? And so on ... :-(
--
Chris Thompson University of Cambridge Computing Service,
Email: [email protected] Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
