[Yeti DNS Discuss] Notes from the Yeti Coordinator F2F meeting

Shane Kerr shane at biigroup.cn
Fri Sep 18 01:39:44 UTC 2015 

Jaap, Stephane, and all,

On 2015-09-17 15:41:48+0200 (Thursday)
Jaap Akkerhuis <jaap at NLnetLabs.nl> wrote:

>  Stephane Bortzmeyer writes:
> 
>  > On Thu, Sep 17, 2015 at 12:44:59PM +0800,
>  >  Shane Kerr <shane at biigroup.cn> wrote 
>  >  a message of 94 lines which said:
>  > 
>  > > * We should document RFC 5011 hold-down timer breaking Unbound (but
>  > >   not BIND 9) as a finding
>  > 
>  > IMHO, it is the opposite: BIND ignores the mandatory hold-down timer
>  > (and thus works) while Unbound does the right thing (and breaks when
>  > the timer was not respected, as in the Yeti root key rollover).

I checked and you are correct, this is actually a bug in BIND 9:

   Once the timer expires, the new key will be added as a trust anchor
   the next time the validated RRSet with the new key is seen at the
   resolver.  The resolver MUST NOT treat the new key as a trust anchor
   until the hold-down time expires AND it has retrieved and validated a
   DNSKEY RRSet after the hold-down time that contains the new key.

I thought it was a "SHOULD NOT".

In any case, I was intending to say that either BIND 9 or Unbound is
bad, just that when we rolled the key one resolver continued to
function and the other did not. Probably I should not have said
"breaks".

Personally I question the value of the hold-down timer, and would like
to run a separate experiment to see what happens if we actually try to
use it. :)

> To help people breakig the 5011 protocol, unbound now has an option to do so:
> 
>         # instruct the auto-trust-anchor-file probing to add anchors after ttl.
>         # add-holddown: 2592000 # 30 days
> 
>         # instruct the auto-trust-anchor-file probing to del anchors after ttl.
>         # del-holddown: 2592000 # 30 days
> 
> Not released yet I think, but in the repository

I'm not sure this is actually very useful. As someone running a trust
anchor that relies on RFC 5011 (which realistically is just the root,
test domains, and possibly a few domains who don't have a signed
parent), you basically have to assume the 30-day hold-down timer as
specified.

OTOH I guess someone, somewhere thought it was useful for them,
otherwise it would not have been added. :P

Cheers,

--
Shane

More information about the discuss mailing list