Yenya's World

Mon, 15 Nov 2010

DNSSEC Problems

In July, I have written about DNSSEC tools. Our zone is still not signed yet, but I have at least enabled DNSSEC valiadtion on our recursive servers at that time, asked the maintainer of the muni.cz domain about the DNSSEC enrollment process, and suggested we should discuss it further.

I have got no reply for several weeks, and then he suddenly replied: "I have signed the muni.cz domain". Evening before this e-mail, our recursive servers stopped resolving even names from our own subdomain, fi.muni.cz. It was a major service disruption (the whole IS MU cluster disintegrated, etc.). I was on a holiday, so my colleagues just switched off the DNSSEC processing altogether. I did not have time to look into this problem until last week. I have tried to reenable DNSSEC, and the same problem appeared. Part of the DNS queries just got dropped. Digging into this further (thanks, Dan!) I have discovered that one out of three authoritative DNS servers for muni.cz (ns.ces.net) has DNSSEC disabled. So 1/3 of the queries were replied to without signatures, and got dropped by validating resolvers.

The morale of the story is:

Do you use validating resolvers, my dear lazyweb? And are all your zones signed?

Section: /computers (RSS feed) | Permanent link | 0 writebacks

About:

Yenya's World: Linux and beyond - Yenya's blog.

Links:

RSS feed

Jan "Yenya" Kasprzak

The main page of this blog

Categories:

Archive:

Blog roll:

alphabetically :-)