[Dnssec-deployment] RRSIG for arpa expired

Casey T. Deccio casey at deccio.net
Sat Jun 5 17:43:30 EDT 2010


On Jun 5, 2010, at 12:53 PM, Paul Wouters wrote:

> On Sat, 5 Jun 2010, Casey Deccio wrote:
> 
>> Apparently the RRSIG made by arpa's KSK has expired (about 15hrs ago),
>> bringing down everything (signed and unsigned) below it as well (for
>> those using ISC DLV as a trust anchor):
> 
> Is that true? If you have all the in-addr.arpa keys configured as
> trust anchor, won't they will still override the bad parent? Or is
> that only if you also provide NS records overrides in your resolver?


I suppose that I meant any subdomains that aren't themselves anchored with dlv (or otherwise configured as trust anchors by a validating resolver).  If there are multiple anchors within a hierarchy, I don't know how other implementations handle it, but dnsviz currently prefers a "good" path to a "broken" path if multiple paths exist, whether one is more specific or not.

> I guess a resolver might have a hard time using bogus/invalidated
> answers only for paths that have their own more specific trust anchor
> configured, though it would be a nice feature to have. But hard to keep
> track of in the cache when it is "safe" to use. Does anyone know how
> unbound or bind deals with this scenario? It would be nice to have.

> I cannot test it anymore, as arpa. has been fixed by now.
> 

There will be others...

Casey


More information about the Dnssec-deployment mailing list