Re: [DNSOP] .PR servfails due to wrong key in DLV

Tue, 08 Sep 2009 17:25:10 -0700 

In message <[email protected]>, Paul Wout
ers writes:
> On Tue, 8 Sep 2009, Stephane Bortzmeyer wrote:
> 
> [added [email protected] to the reply]
> 
> > Subject: [Unbound-users] .PR servfails with Unbound but not with BIND
> 
> > % dig SOA pr.
> 
> > I get the key through DLV.
> 
> It's outdated and wrong and missing the new key.
> 
> On Aug 19 2009, pr added this key:
> 
> > PR. IN DNSKEY 257 3 5 AwEAAeDPv9lQ7Ej5Ld9Fz/FKLhdOajwtEXsWykj65ugIa4Di1nY6t
> i9n
> dkeR4kp1aSNlvf6N7KsjunfMJj4SccBwcY77DrxmQ+g9nI09ePMZvxF2
> U63Lv9BftGaIguYdkYZVSwHd1q7DdXqNkLaD4tZEHiN0h/3wBdTQUPH1
> IoskD1vGxiPw2egftk6sVQdvOJWaAgSpmG0eq+/e90WVTNX4/xhA17Pr
> dQQJIheZQ3+EsDoil8kyJZC12KoHYpFklx7+aCiR2u8Fumy6ARFR4PP0
> n7bnBaKOgMpVzz+KI79a3USDkj9RhNog50iSWgaBM75Xu0IBNEpcCVYZ
> YjwDESgiDXc=
> 
> And on Sep  4 2009, pr removed this keys:
> 
> < PR. IN DNSKEY 257 3 5 AwEAAc6SkFSHw00wJFUWd1Td/efsxhfX+UTrxrzqQXNuZ8Qj2PiP6
> p/m
> BxysJt06XgSCB41CPhkgvgqrtdaJ/hXKG81xNXUcGfqvV9wYMJnN+oBB
> /lLaQU/39fWaNc4fBGiRI2dNDVKPry2YX6y04YrEGRM+wf6HWHVdW1Js
> xuMuDOSr

        Which is a ridiculously short key rollover period (16 days)
        when the parent is not signed.  Lots of tracking of TLD
        keys is completely manual.
 
> > % dig DLV pr.dlv.isc.org.
> 
> > ;; ANSWER SECTION:
> > pr.dlv.isc.org.             3255    IN      DLV     62704 5 2 57E017A982196
> D194B3F52CDD39F86A9A33DED75064F285A9242BA7A 448A659C
> > pr.dlv.isc.org.             3255    IN      DLV     62704 5 1 AFA72CB11D4C9
> 7657D82338AF6D569ED614166EB
> 
> These are the old key, and that DLV record should be removed. The new DLV rec
> ord should be:
> 
> pr.dlv.isc.org. IN DLV 6277 5 2 6966580bb25c608540e8224039561c7b2a1488d1f927c
> 5cdbd137f4ef3d31528
> pr.dlv.isc.org. IN DLV 6277 5 1 05d02dce8385974d958a5db409f6ff3658293b2
> 
> I guess we need a MUCH better communication method between TLD's, iTAR and IS
> C's DLV. This is bad.
> 
> Paul
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to