dnssec lookaside to dlv.isc.org broke recursion

Mark Andrews Mark_Andrews at isc.org
Thu Oct 23 14:06:34 UTC 2008 

In message <15CEC87F00BB7B4CA0E904C5FCF056463C1617AC at EXCHANGENJ1.ds.tellurian.n
et>, Vinny Abello writes:
> Hi all,
> 
> I've got two recursive DNS servers running on FreeBSD 7.0 each with BIND 9.4.
> 2-P2. I got a call this morning that DNS lookups were broken. I found named c
> rashed on one server, and was still running on the other but not giving any r
> esposes. I had a third recursive server that was in a different location, dif
> ferent OS and different config that was working fine. Furthermore, my recursi
> ve client counts were over 10x what they should be reaching the defaul limit 
> of 1000. Long story short, I finally disabled dnssec and everything started w
> orking again. This configuration has been untouched and working for a couple 
> of months now. No changes were made. My relavant configuration is very simple
>  for dnssec and is as follows:
> 
> trusted-keys {
>     dlv.isc.org. 257 3 5 "BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0
> wFzoF kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN uymtKZSCZvkg5m
> G6Q9YORkcfkQD2GIRxGwx9$
> };
> 
>         dnssec-enable yes;
>         dnssec-validation yes;
> 
>         dnssec-lookaside . trust-anchor dlv.isc.org.;
> 
> 
> Any ideas why this broke? It wasn't just dnssec validation that was broken. I
> could not even resolve the A records for the root servers.

	Which is to be expected when you have a out to date trust
	anchor of a dlv registry.  When you are using DLV you have
	to prove that there isn't a DLV record which covers the
	name or else you can be open to a downgrade attack.

> My only thought is my trusted-key is no longer valid. Looking at ISC's web
> site, I see a DLV KSK Public key from 2008/09/21. This is different than the
> one I was using above. I must have missed it in the instructions somewhere
> including on that page, but is regular rotation of these keys part of
> maintenance?

	Yes.

> I know it is for signed authoritative zones with dnssec, but it isn't clear
> for using lookaside-validation with ISC.

	dlv.isc.org is a signed zone.  The keys get rolled the same as
	any other zone.  

> I'm guessing the answer is yes and I should be subscribed to the
> dlv-announce at isc.org mailing list or wait for a better automated mechanism
> for this to work.

	Correct.  You can also use

	"dig dnskey dlv.isc.org @127.0.0.1 | grep 257"

	daily from cron and when the answer changes go check the web site.
	I do something like this for all my trust anchors.

% dig dnskey dlv.isc.org @127.0.0.1 | grep 257
dlv.isc.org.            7200    IN      DNSKEY  257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
% 
 
	Mark

> -Vinny
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list