[Yeti DNS Discuss] 答复: Resolved! Yeti signatures missing: reconfigure your resolvers

Davey Song(宋林健) ljsong at biigroup.cn
Fri May 11 03:49:40 UTC 2018 

Yes. You are right. We need enhance our urgent plan and monitoring for such event. 

I found in current plan only new IANA serial can trigger the update(the recovered zone). We are in passive position to react to such failures. If we issue out a new serial, it will be ahead of IANA serial and send no notify for next real serial when it's coming.

Davey

> -----邮件原件-----
> 发件人: Paul Vixie [mailto:paul at redbarn.org]
> 发送时间: 2018年5月11日 11:10
> 收件人: "Davey Song(宋林健)"
> 抄送: 'Stephane Bortzmeyer'; discuss at lists.yeti-dns.org
> 主题: Re: [Yeti DNS Discuss] Resolved! Yeti signatures missing: reconfigure
> your resolvers
> 
> in contrast, i introduced a bug into the tisf dm a couple of months ago, and the
> monitoring system has refused to publish any broken zone since then. silence is
> better than incorrectness.
> 
> re:
> 
> Davey Song(宋林健) wrote:
> > Now most of servers update the latest root zone (expect
> > yeti-dns01.dnsworkshop.org). The problem resolved!
> >
> > Brief report of that failure:  after troubleshooting, it is found that
> > there was a power failure days ago stop BII DM generating new ZSK
> > during ZSK rollover. And the old ZSK was invalid at that time. Sadly
> > the monitoring script (affected by that power failure)did not capture
> > that event. We update the scripture to check the whole zone before
> > publish it and add more client agent to monitor DM.
> >
> > I'm sorry for that loss. We could have reacted more promptly yesterday
> > middle night.
> >
> > Davey
> >
> >> -----邮件原件-----
> >> 发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表
> Stephane
> >> Bortzmeyer
> >> 发送时间: 2018年5月11日 0:36
> >> 收件人: discuss at lists.yeti-dns.org
> >> 主题: [Yeti DNS Discuss] Yeti signatures missing: reconfigure your
> > resolvers
> >> Today, the Yeti root name servers stopped sending signatures with the
> > data. As
> >> a result, validating DNS resolvers using the Yeti root stopped
> >> working, returning SERVFAIL to queries.
> >>
> >> If you use a Yeti resolver, change to a non-Yeti one, or, if you are
> >> the
> > resolver
> >> administrator, change to another root, while the problem is still there.
> >> _______________________________________________
> >> discuss mailing list
> >> discuss at lists.yeti-dns.org
> >> http://lists.yeti-dns.org/mailman/listinfo/discuss
> >
> >
> >
> > _______________________________________________
> > discuss mailing list
> > discuss at lists.yeti-dns.org
> > http://lists.yeti-dns.org/mailman/listinfo/discuss
> 
> --
> P Vixie

More information about the discuss mailing list