dnssec lookaside to dlv.isc.org broke recursion

[Vinny Abello]

Hi all,

I've got two recursive DNS servers running on FreeBSD 7.0 each with BIND 9.4.2-P2. I got a call this morning that DNS lookups were broken. I found named crashed on one server, and was still running on the other but not giving any resposes. I had a third recursive server that was in a different location, different OS and different config that was working fine. Furthermore, my recursive client counts were over 10x what they should be reaching the defaul limit of 1000. Long story short, I finally disabled dnssec and everything started working again. This configuration has been untouched and working for a couple of months now. No changes were made. My relavant configuration is very simple for dnssec and is as follows:

trusted-keys {
    dlv.isc.org. 257 3 5 "BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0wFzoF kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN uymtKZSCZvkg5mG6Q9YORkcfkQD2GIRxGwx9$
};

        dnssec-enable yes;
        dnssec-validation yes;

        dnssec-lookaside . trust-anchor dlv.isc.org.;


Any ideas why this broke? It wasn't just dnssec validation that was broken. I could not even resolve the A records for the root servers. My only thought is my trusted-key is no longer valid. Looking at ISC's web site, I see a DLV KSK Public key from 2008/09/21. This is different than the one I was using above. I must have missed it in the instructions somewhere including on that page, but is regular rotation of these keys part of maintenance? I know it is for signed authoritative zones with dnssec, but it isn't clear for using lookaside-validation with ISC. I'm guessing the answer is yes and I should be subscribed to the dlv-announce at isc.org mailing list or wait for a better automated mechanism for this to work.

-Vinny