[Unbound-users] .PR servfails due to wrong key in DLV

Tue Sep 8 15:58:35 UTC 2009

On Tue, 8 Sep 2009, Stephane Bortzmeyer wrote:

[added dnsop at ietf.org to the reply]

> Subject: [Unbound-users] .PR servfails with Unbound but not with BIND

> % dig SOA pr.

> I get the key through DLV.

It's outdated and wrong and missing the new key.

On Aug 19 2009, pr added this key:

> PR. IN DNSKEY 257 3 5 AwEAAeDPv9lQ7Ej5Ld9Fz/FKLhdOajwtEXsWykj65ugIa4Di1nY6ti9n
dkeR4kp1aSNlvf6N7KsjunfMJj4SccBwcY77DrxmQ+g9nI09ePMZvxF2
U63Lv9BftGaIguYdkYZVSwHd1q7DdXqNkLaD4tZEHiN0h/3wBdTQUPH1
IoskD1vGxiPw2egftk6sVQdvOJWaAgSpmG0eq+/e90WVTNX4/xhA17Pr
dQQJIheZQ3+EsDoil8kyJZC12KoHYpFklx7+aCiR2u8Fumy6ARFR4PP0
n7bnBaKOgMpVzz+KI79a3USDkj9RhNog50iSWgaBM75Xu0IBNEpcCVYZ
YjwDESgiDXc=

And on Sep  4 2009, pr removed this keys:

< PR. IN DNSKEY 257 3 5 AwEAAc6SkFSHw00wJFUWd1Td/efsxhfX+UTrxrzqQXNuZ8Qj2PiP6p/m
BxysJt06XgSCB41CPhkgvgqrtdaJ/hXKG81xNXUcGfqvV9wYMJnN+oBB
/lLaQU/39fWaNc4fBGiRI2dNDVKPry2YX6y04YrEGRM+wf6HWHVdW1Js
xuMuDOSr

> % dig DLV pr.dlv.isc.org.

> ;; ANSWER SECTION:
> pr.dlv.isc.org.		3255	IN	DLV	62704 5 2 57E017A982196D194B3F52CDD39F86A9A33DED75064F285A9242BA7A 448A659C
> pr.dlv.isc.org.		3255	IN	DLV	62704 5 1 AFA72CB11D4C97657D82338AF6D569ED614166EB

These are the old key, and that DLV record should be removed. The new DLV record should be:

pr.dlv.isc.org. IN DLV 6277 5 2 6966580bb25c608540e8224039561c7b2a1488d1f927c5cdbd137f4ef3d31528
pr.dlv.isc.org. IN DLV 6277 5 1 05d02dce8385974d958a5db409f6ff3658293b2

I guess we need a MUCH better communication method between TLD's, iTAR and ISC's DLV. This is bad.

Paul