Maintained by: NLnet Labs

[Unbound-users] .PR servfails with Unbound but not with BIND

Ondřej Surý
Wed Sep 9 15:38:56 CEST 2009


Stephane, Patrik,

>> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
>> a message of 126 lines which said:
>>
>>> % dig SOA pr.
>>>
>>> ; <<>> DiG 9.5.1-P3 <<>> SOA pr.
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 940
>>
>> It works now. The DLV registry at ISC updated the key. Apparently, the
>> .PR people rolled over with a very short notice and anyone using DLV
>> or manual tracking of keys will have experienced the problem.
>>
>> Lesson learned: activating DNSSEC validation today is only for
>> playing and should not be done in a production environment.
>
> .SE has been in production mode for the last 2.5 years. It has been working
> very well in Sweden with all the major resolver operators performing DNSSEC
> validaion. I would rather say that DLV is not ready for use in a production
> environment.

I would rather say that .PR is at fault here. I have discovered that
.PR key has changed only from my automated ITAR update script. At
first they had removed .PR key from ITAR and after that they had added
new key - it didn't look like regular well planned rollover. Or had
anybody seen some announcement?

When .SE had changed their key, I got announcement from several places
and it was well planned and everybody could prepare before rollover
was done.

Also if .PR knew that their key is in DLV registry, that should
exchange their key in DLV as well.

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/