This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Just another lookaside zone
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] DNS Misbehavior Doc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Roy.Arends at nominet.org.uk
Roy.Arends at nominet.org.uk
Tue Feb 14 15:04:50 CET 2006
dns-wg-admin at ripe.net wrote on 14-02-2006 12:16:57: > * Lutz Donnerhacke wrote: > > In order to extend the deployment of security technology, we switch to > > DNSSEC for us and our customers. [...] This is the reason why, we set > > up an other DLV zone. > > Please do *not* try to use this zone with any public available bind version. > There is a bug in long time behaivor of the caching algorithms. Invalidating > of cache entries occurs unrelated to DNSSEC. This causes invalidating of any > signed entries over the time. The race condition caused by cache > invalitation is large enough to hit the lookaside zone itself after some > hours on a busy server. Normal usage hits the problem after some days. Due > to the bind architecture, even authorized servers can be unable to deliver > there own data. > > Look for "empty name resolving" entries in the logfiles. > > Unfortunly there is no working DNSSECable DNS server software out at all. Try unbound as a validating DNSSEC resolver. http://www.rfc.se/unbound Roy
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] DNS Misbehavior Doc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]