Maintained by: NLnet Labs

[Unbound-users] .PR servfails with Unbound but not with BIND

Michael Graff
Wed Sep 9 18:26:08 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not to follow up my own post, but I'd like to point out that .pr is not
the only problem in TAR-space right now.

- From the ARIN TAR import:

171.in-addr.arpa:
Fetching DNSKEYS from DNS for 171.in-addr.arpa
Unused DS for 171.in-addr.arpa, type RSASHA1/SHA-1, tag 54333

153.in-addr.arpa:
Fetching DNSKEYS from DNS for 153.in-addr.arpa
Unused DS for 153.in-addr.arpa, type RSASHA1/SHA-1, tag 35994

154.in-addr.arpa:
Fetching DNSKEYS from DNS for 154.in-addr.arpa
Unused DS for 154.in-addr.arpa, type RSASHA1/SHA-1, tag 49773


What this script does is compare data from three sources:  what is
currently in ISC's DLV, what is in the TAR, and what is in the zone.
ISC's DLV will attempt to match the TAR's data:  if a key is removed
from the TAR, we will remove it from DLV regardless if it is still in
the zone.  We will attempt to add any new keys we find DS records for in
the TAR, if they exist in the zone.

In this case, I believe these three domains were delegated away from
ARIN, but they (and DS records) are still present in the ARIN TAR.

In this case, anyone who has a tar-import script would reject any data
from those domains, since the trusted-key would be configured, yet it is
not correct.

- --Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqn1x8ACgkQ+NNi0s9NRJ1nIQCgiOdi4aJxkFq7pkmpn46Gmn+0
d+IAoKliknxfd1KKpdBa+3Nnazdgl41R
=XFiM
-----END PGP SIGNATURE-----