On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" <brettcarr@ripe.net> said:
-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 28 November 2005 08:47 To: Brett Carr Cc: dns-wg@ripe.net Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Brett,
What's going on with 195.in-addr.arpa? All DNSSEC records are gone, e.g.
We saw some zone file corruption during the early hours of the morning, this caused a failsafe operation to takeover and hence the zones were published without signatures. I've investigated and fixed the corruption and so now everything is back to normal.
Thanks. Having such a failsafe procedure is probably a good idea. However, it caused my sub-zone to be marked as bogus, which is bad (i.e. my cache with only the key for 195.in-addr.arpa configured as trusted key returned SERVFAIL for all queries within 176.195.in-addr.arpa). I think that you must not leave the DS records in the zone when all other DNSSEC RRsets are removed (and the DS record for my zone was definitely there). Otherwise, a verifier will find a DS record but is unable to check its authenticity and has to declare the zone as bogus. -- Alex