[Yeti DNS Discuss] Notes from the Yeti Coordinator F2F meeting
shane at biigroup.cn
Fri Sep 18 01:39:44 UTC 2015
Jaap, Stephane, and all,
On 2015-09-17 15:41:48+0200 (Thursday)
Jaap Akkerhuis <jaap at NLnetLabs.nl> wrote:
> Stephane Bortzmeyer writes:
> > On Thu, Sep 17, 2015 at 12:44:59PM +0800,
> > Shane Kerr <shane at biigroup.cn> wrote
> > a message of 94 lines which said:
> > > * We should document RFC 5011 hold-down timer breaking Unbound (but
> > > not BIND 9) as a finding
> > IMHO, it is the opposite: BIND ignores the mandatory hold-down timer
> > (and thus works) while Unbound does the right thing (and breaks when
> > the timer was not respected, as in the Yeti root key rollover).
I checked and you are correct, this is actually a bug in BIND 9:
Once the timer expires, the new key will be added as a trust anchor
the next time the validated RRSet with the new key is seen at the
resolver. The resolver MUST NOT treat the new key as a trust anchor
until the hold-down time expires AND it has retrieved and validated a
DNSKEY RRSet after the hold-down time that contains the new key.
I thought it was a "SHOULD NOT".
In any case, I was intending to say that either BIND 9 or Unbound is
bad, just that when we rolled the key one resolver continued to
function and the other did not. Probably I should not have said
Personally I question the value of the hold-down timer, and would like
to run a separate experiment to see what happens if we actually try to
use it. :)
> To help people breakig the 5011 protocol, unbound now has an option to do so:
> # instruct the auto-trust-anchor-file probing to add anchors after ttl.
> # add-holddown: 2592000 # 30 days
> # instruct the auto-trust-anchor-file probing to del anchors after ttl.
> # del-holddown: 2592000 # 30 days
> Not released yet I think, but in the repository
I'm not sure this is actually very useful. As someone running a trust
anchor that relies on RFC 5011 (which realistically is just the root,
test domains, and possibly a few domains who don't have a signed
parent), you basically have to assume the 30-day hold-down timer as
OTOH I guess someone, somewhere thought it was useful for them,
otherwise it would not have been added. :P
More information about the discuss