[dns-wg] RIPE NCC DNSSEC on the reverse tree update.

On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" <brettcarr at ripe.net> said:

>> -----Original Message-----
>> From: Alexander Gall [mailto:gall at switch.ch] 
>> Sent: 28 November 2005 08:47
>> To: Brett Carr
>> Cc: dns-wg at ripe.net
>> Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
>> 
>> Brett,
>> 
>> What's going on with 195.in-addr.arpa?  All DNSSEC records 
>> are gone, e.g. 
>> 

> We saw some zone file corruption during the early hours of the morning, this
> caused a failsafe operation to takeover and  hence the zones were published
> without signatures. I've investigated and fixed the corruption and so now
> everything is back to normal.

Thanks.  Having such a failsafe procedure is probably a good idea.
However, it caused my sub-zone to be marked as bogus, which is bad
(i.e. my cache with only the key for 195.in-addr.arpa configured as
trusted key returned SERVFAIL for all queries within
176.195.in-addr.arpa).  I think that you must not leave the DS records
in the zone when all other DNSSEC RRsets are removed (and the DS
record for my zone was definitely there).  Otherwise, a verifier will
find a DS record but is unable to check its authenticity and has to
declare the zone as bogus.

--
Alex