|
Ticket ID: SIXXS #6192142 Ticket Status: Resolved PoP: czprg01 - Ignum, s.r.o. (Prague)
Broken DLV delegation
![[cz]](/s/countries/cz.gif) Shadow Hawkins on Monday, 02 January 2012 13:54:04
The DLV records in dlv.isc.org. registry for reverse zone f.f.0.0.c.8.1.0.a.2.ip6.arpa. looks broken, preventing DLV-aware validating
resolver to resolve reverse records under this delegation. The keytag of KSK
DNSKEY (26931) differs from keytag in DLV registry (40270):
$ dig f.f.0.0.c.8.1.0.a.2.ip6.arpa. DNSKEY > /tmp/tmp.key
$ dnssec-dsfromkey /tmp/tmp
f.f.0.0.c.8.1.0.a.2.ip6.arpa. IN DS 26931 8 1 1C8F6E9AA51450BD517EB3AC9A5FEBEB6CB35318
f.f.0.0.c.8.1.0.a.2.ip6.arpa. IN DS 26931 8 2 C6CD2FD406F99DF999DE94CA7AC1D9BD1CEB297BE6C1E41C3A884B23 8B6DCC64
$ dig f.f.0.0.c.8.1.0.a.2.ip6.arpa.dlv.isc.org. DLV
f.f.0.0.c.8.1.0.a.2.ip6.arpa.dlv.isc.org. 3102 IN DLV 40270 8 2 1DFE65BD5EAEF25882CFB33DA237F444674A0FEC13A0B54EA4514EAB 22C21C7A
f.f.0.0.c.8.1.0.a.2.ip6.arpa.dlv.isc.org. 3102 IN DLV 40270 8 1 F5AD5AB9B4A8C80ED45B2B1A4ACABD6AD4A47F1A
State change: confirmed
The state of this ticket has been changed to confirmed
Broken DLV delegation
Several zones are in the process of being updated due to keyrollovers and thus are marked as 'Pending Check' in the DLV site. This should resolve itself in the next few hours or likely less.
Broken DLV delegation
Shadow Hawkins on Monday, 02 January 2012 15:28:18
After cleaning resolver cache, everything seems to work correctly. Please consider lowering TTL prior future rollover and/or extend double signature period to avoid such downtimes.
Thanks for explanation.
Broken DLV delegation
According to DLV all should be fine again, note also that the ISC DLV does not publish the record unless it is marked as good:
INFO Started: Mon Jan 02 13:44:31 +0000 2012
SUCCESS 2620::6B0:A:250:56FF:FE99:78F7 answered DNSKEY query with rcode NOERROR
SUCCESS 2001:770:18:8::4 answered DNSKEY query with rcode NOERROR
SUCCESS 78.141.179.38 answered DNSKEY query with rcode NOERROR
SUCCESS 38.229.76.3 answered DNSKEY query with rcode NOERROR
SUCCESS 2001:7E8:1:102::A answered DNSKEY query with rcode NOERROR
SUCCESS 193.1.31.74 answered DNSKEY query with rcode NOERROR
INFO Total answers: 6
SUCCESS All DNSKEY responses are identical.
INFO VERIFY-DNSKEY: 3 DNSKEYs found.
INFO VERIFY-DNSKEY: 1 keys found after filtering.
SUCCESS DNSKEY signatures validated.
SUCCESS VALIDATED_SEP_KEY: f.f.0.0.c.8.1.0.a.2.ip6.arpa. 604800 IN DNSKEY 257 3 RSASHA256 ( AwEAAeDYXitGLl3MY+3cXJAz0fUhohTgvsQ4YtWAZ//Hw3mtyK4r2Vbt1l0Pk8Veh6x6kDyowlP3sAKL4ySwcAmry5W/S3OPiJLbpuK8rRAhJk7uFCr+NSgapugQ6Mk0wASLEF78yKLArKH8HkiXCVtPZkrsimpxR4yQrZf2gezq1HWbTontG22U06igdAckNyWKqEh/pCQ8sezko8++VDdqr/9q6xbB5sB3oibWpmnirJoS854Xqvt4ER0JhaVDxr9pA5xAvV2zLfb7rg1Zie1rL2BLjDLlMFLdCrGgjLaQSQqV0WMBpml2U+fYfXeqSPjpnW+iD7/SkhnZEANgleF/2jc= ) ; key_tag=31600
INFO Name servers which responded: 2620::6B0:A:250:56FF:FE99:78F7, 2001:770:18:8::4, 78.141.179.38, 38.229.76.3, 2001:7E8:1:102::A, 193.1.31.74
FINAL_SUCCESS Success.
Also note that the old entries might still be cached in the DNS caches along your path.
State change: resolved
The state of this ticket has been changed to resolved
|
![[ch]](/s/countries/ch.gif)
on Monday, 02 January 2012 14:27:03
Posting is only allowed when you are