[ksk-rollover] Description of my analysis of the too-many-KSK queries problem

Evan Hunt each at isc.org
Thu Apr 4 17:17:28 UTC 2019

On Thu, Apr 04, 2019 at 12:54:37PM -0400, Roy Arends wrote:
> Hi Evan, can you elaborate on the looping bug? For example, what
> combination of configuration statements would cause this,  and why was a
> revoked key special in this case.

It was similar to the environment Wes set up, I found it while trying to
reproduce his report. When starting named with either a managed-keys
database containing only KSK-2010, or with no managed-keys database and a
bind.keys file containing only KSK-2010, named sent a key refresh query for
./DNSKEY, got back a response containing KSK-2010 with the REVOKED bit set,
validated it but failed to record the revocation, and immediately retried
the query.

I believe it was fixed in this commit, around line 8940 in lib/dns/zone.c:

Since the revoked key is no longer in the root zone, I'll need to set up a
toy root server to confirm that that was indeed the relevant change; I
haven't done so yet.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the ksk-rollover mailing list