Re: ISC DLV

[Paul Vixie <vixie () isc org>]

Paul Ferguson <fergdawgster () gmail com> writes:

> On Sat, Apr 4, 2009 at 9:55 PM, Marcelo Gardini do Amaral
> <mgardini () gmail com> wrote:
>
> > Guys,
> >
> > are you having problems to validate DNSEC using ISC DLV?
>
> No idea, but I did see another reference to this over on the OARC dns-ops
> list:
>
> https://lists.dns-oarc.net/pipermail/dns-operations/2009-April/003726.html

note, this isn't a ddos, so it's probably not related to the other dns ddos
events that have been discussed here recently.

see also geoff's reply on that thread:

Date: Sat, 04 Apr 2009 23:15:55 -0700
From: "Geoffrey Sisson" <geoff () geoff co uk>
To: dns-operations () lists dns-oarc net
Subject: Re: [dns-operations] ISC DLV broken?
Sender: dns-operations-bounces () lists dns-oarc net

mvn () ucla edu (Michael Van Norman) wrote:

> Starting a bit after 18:00, my home machines starting failing DNSSEC
> validation using the ISC DLV.
...
> Are other people seeing this?

Yes, starting at around the same time (PDT).

Peter_Losher () isc org (Peter Losher) wrote:

> ISC is aware that there is a issue with lookups against dlv.isc.org and
> are investigating the cause behind it.  You may want to disable DNSSEC
> validation against dlv.isc.org at this time.

It appears as if the RRSIG RRset returned by the DLV nameservers for
"dlv.isc.org" is missing the RRSIG for the KSK, so validation for
dlv.isc.org is failing.  It _does_ contain the RRSIG for the ZSK (key
id 64263).

As a test I tried changing the trusted key to the ZSK, and DLV validation
appeared to work correctly.  This is, of course, not a recommended
work-around.

Geoff
_______________________________________________
dns-operations mailing list
dns-operations () lists dns-oarc net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations