This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Just another lookaside zone
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] Just another lookaside zone
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lutz Donnerhacke
lutz at iks-jena.de
Tue Feb 14 12:16:57 CET 2006
* Lutz Donnerhacke wrote: > In order to extend the deployment of security technology, we switch to > DNSSEC for us and our customers. [...] This is the reason why, we set > up an other DLV zone. Please do *not* try to use this zone with any public available bind version. There is a bug in long time behaivor of the caching algorithms. Invalidating of cache entries occurs unrelated to DNSSEC. This causes invalidating of any signed entries over the time. The race condition caused by cache invalitation is large enough to hit the lookaside zone itself after some hours on a busy server. Normal usage hits the problem after some days. Due to the bind architecture, even authorized servers can be unable to deliver there own data. Look for "empty name resolving" entries in the logfiles. Unfortunly there is no working DNSSECable DNS server software out at all.
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] Just another lookaside zone
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]