This is a discussion on Re: DNSSEC server failure with trstech.net - DNS ; In message , Stephane Bortzmeyer writes: > On Thu, Nov 06, 2008 at 02:15:59PM +0100, > Gilles Massen wrote > a message of 38 lines which said: > > > That seems to be the issue: trstech.net has an DLV ...
In message <20081106132906.GA15665@nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Nov 06, 2008 at 02:15:59PM +0100,
> Gilles Massen
> a message of 38 lines which said:
> > That seems to be the issue: trstech.net has an DLV entry.
> Right! I completely missed it. Thanks.
> > It kind of illustrates that once you've gone the dnssec path, it
> > hard to go back again...
No. It's not hard. You just need to reverse the order of
operations. Remove the DLV / DS then once they have cleared
the caches you can convert the zone to unsigned.
If you have announced trust-anchors then it becomes harder
as you need to find and remove those trust anchors.
This is where signing the root / using dlv becomes so
important as there is only a single trust anchor to manage.
You don't end up with millions of people each with a copy
of your trust anchor.
> It illustrates also that DNSSEC is a very good way of DoSing yourself.
> Probably, Unbound had no problem because it was not configured to use
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org