Volume 13 Number 1 of the Cisco IP Journal features a fascinating DNS troubleshooting article titled "Rolling Over DNSSEC Keys" by George Michaelson, APNIC, Patrick Wallstrõm, .SE, Roy Arends, Nominet, and Geoff Huston, APNIC. It's one of the best articles I've ever read in IPJ. You should subscribe (it's free) if you like this blog.In the article, the authors investigate a surge of DNS traffic suffered by a secondary DNS server that is authoritative for a number of subdomains of the in-addr.arpa zone.The article explains what happens next. I can cut to the chase with the following quotes:In other words, in this example scenario with stale Trust Anchor keys in a local client's resolver, a single attempt to validate a single DNS response will cause the client to send a further 844 queries, and each .com Name Server to receive 56 DNSKEY RR queries and 4 DS RR queries...The problem with key rollover and local management of trust keys appears to be found in around 1 in every 1,500 res
Comments
Be the first to post your comment.