[Dnssec-deployment] RRSIG for arpa expired
Paul Wouters
paul at xelerance.com
Sat Jun 5 15:53:22 EDT 2010
On Sat, 5 Jun 2010, Casey Deccio wrote:
> Apparently the RRSIG made by arpa's KSK has expired (about 15hrs ago),
> bringing down everything (signed and unsigned) below it as well (for
> those using ISC DLV as a trust anchor):
Is that true? If you have all the in-addr.arpa keys configured as
trust anchor, won't they will still override the bad parent? Or is
that only if you also provide NS records overrides in your resolver?
I guess a resolver might have a hard time using bogus/invalidated
answers only for paths that have their own more specific trust anchor
configured, though it would be a nice feature to have. But hard to keep
track of in the cache when it is "safe" to use. Does anyone know how
unbound or bind deals with this scenario? It would be nice to have.
I cannot test it anymore, as arpa. has been fixed by now.
Paul
More information about the Dnssec-deployment
mailing list