dns-wg-admin@ripe.net wrote on 14-02-2006 12:16:57:
* Lutz Donnerhacke wrote:
In order to extend the deployment of security technology, we switch to DNSSEC for us and our customers. [...] This is the reason why, we set up an other DLV zone.
Please do *not* try to use this zone with any public available bind version. There is a bug in long time behaivor of the caching algorithms. Invalidating of cache entries occurs unrelated to DNSSEC. This causes invalidating of any signed entries over the time. The race condition caused by cache invalitation is large enough to hit the lookaside zone itself after some hours on a busy server. Normal usage hits the problem after some days. Due to the bind architecture, even authorized servers can be unable to deliver there own data.
Look for "empty name resolving" entries in the logfiles.
Unfortunly there is no working DNSSECable DNS server software out at all.
Try unbound as a validating DNSSEC resolver. http://www.rfc.se/unbound Roy