Re: dnssec lookaside to dlv.isc.org broke recursion - DNS

This is a discussion on Re: dnssec lookaside to dlv.isc.org broke recursion - DNS ; * Vinny Abello: > I've got two recursive DNS servers running on FreeBSD 7.0 each with > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken. The annual key rollover for dlv.isc.org happened 30 days ago, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: dnssec lookaside to dlv.isc.org broke recursion

  1. Re: dnssec lookaside to dlv.isc.org broke recursion

    * Vinny Abello:

    > I've got two recursive DNS servers running on FreeBSD 7.0 each with
    > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken.


    The annual key rollover for dlv.isc.org happened 30 days ago, and the
    transition period is now over. You probably failed to perform that
    rollover.


  2. Re: dnssec lookaside to dlv.isc.org broke recursion

    "Florian Weimer" wrote in message
    news:gdqfih$l14$1@sf1.isc.org...
    > * Vinny Abello:
    >
    > > I've got two recursive DNS servers running on FreeBSD 7.0 each with
    > > BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken.

    >
    > The annual key rollover for dlv.isc.org happened 30 days ago, and the
    > transition period is now over. You probably failed to perform that
    > rollover.



    I see nothing on the resource https://secure.isc.org/ops/dlv/index.php that
    tells us that there is a periodic rollover of the key-signing-key for the
    DLV. I expect that the zone-signing-key ("256") and ONLY that key will be
    changed every month. The key-signing-key shouldn't be changed very often
    (if at all). Remember that this is a transitional mechanism that should
    only be in place for a short number of years.

    If isc.org is going to change it annually or so, fine, but then let them
    publish about 4 key-signing-keys, even if only one is actively used. That
    would be 4 years worth of keys, which should be enough to cover 4+ years -
    long enough for ICANN to get off their asses and sign the root zone.


    Might using the wrong key-signing-key as a trusted key be the cause of the
    assertion failure I reported in a separate thread?




  3. Re: dnssec lookaside to dlv.isc.org broke recursion

    On Oct 24 2008, D. Stussy wrote, re the dlv.isc.org KSK,

    >If isc.org is going to change it annually or so, fine, but then let them
    >publish about 4 key-signing-keys, even if only one is actively used. That
    >would be 4 years worth of keys, which should be enough to cover 4+ years -
    >long enough for ICANN to get off their asses and sign the root zone.


    This doesn't make much (I am inclined to say "any") sense. Publishing the
    keys subjects them to attack, whether they are used for signing or not.
    The whole point of changing the keys regularly is to limit the time they
    are exposed to such attack.

    Also, 4 years is a long time in cryptographic techniques. Who is to say,
    for example, whether a 2048-bit KSK will still be adequate after that long?

    --
    Chris Thompson
    Email: cet1@cam.ac.uk



+ Reply to Thread