[ksk-rollover] Description of my analysis of the too-many-KSK queries problem
Evan Hunt
each at isc.org
Thu Apr 4 16:50:34 UTC 2019
On Thu, Apr 04, 2019 at 09:23:17AM -0700, Wes Hardaker wrote:
> > Once the revoked key is removed, it stops.
>
> Removed from where? the root zone? the cache? The managed keys file?
Root zone. As far as I can tell it never reaches the cache at all.
> Reminder: I was in an airport and working quickly right before the
> flight and right before the 22nd, when the revoked key would be
> removed. I'm not *positive* there was a correlation between requests
> and outgoing DNSKEY queries since this is from memory and because I was
> working quickly I may not have hit the right conclusion. Wish I had
> saved pcaps...
Perhaps, but you described a number of behaviors that were significantly
different, including intermittency, burstiness, and the fact that the
release you were testing should've had the fix for the looping problem...
so there may well be two different bugs. After I'm done with jetlag
recovery I'm planning to build a test environment and keep looking.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the ksk-rollover
mailing list