dnssec lookaside to dlv.isc.org broke recursion

Vinny Abello vinny at tellurian.com
Thu Oct 23 14:25:25 UTC 2008


> -----Original Message-----
> From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org]
> Sent: Thursday, October 23, 2008 10:07 AM
> To: Vinny Abello
> Cc: bind-users at isc.org
> Subject: Re: dnssec lookaside to dlv.isc.org broke recursion
> 
> 
> In message
> <15CEC87F00BB7B4CA0E904C5FCF056463C1617AC at EXCHANGENJ1.ds.tellurian.n
> et>, Vinny Abello writes:
> > Hi all,
> >
> > I've got two recursive DNS servers running on FreeBSD 7.0 each with
> BIND 9.4.
> > 2-P2. I got a call this morning that DNS lookups were broken. I found
> named c
> > rashed on one server, and was still running on the other but not
> giving any r
> > esposes. I had a third recursive server that was in a different
> location, dif
> > ferent OS and different config that was working fine. Furthermore, my
> recursi
> > ve client counts were over 10x what they should be reaching the
> defaul limit
> > of 1000. Long story short, I finally disabled dnssec and everything
> started w
> > orking again. This configuration has been untouched and working for a
> couple
> > of months now. No changes were made. My relavant configuration is
> very simple
> >  for dnssec and is as follows:
> >
> > trusted-keys {
> >     dlv.isc.org. 257 3 5
> "BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0
> > wFzoF kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN
> uymtKZSCZvkg5m
> > G6Q9YORkcfkQD2GIRxGwx9$
> > };
> >
> >         dnssec-enable yes;
> >         dnssec-validation yes;
> >
> >         dnssec-lookaside . trust-anchor dlv.isc.org.;
> >
> >
> > Any ideas why this broke? It wasn't just dnssec validation that was
> broken. I
> > could not even resolve the A records for the root servers.
> 
> 	Which is to be expected when you have a out to date trust
> 	anchor of a dlv registry.  When you are using DLV you have
> 	to prove that there isn't a DLV record which covers the
> 	name or else you can be open to a downgrade attack.

OK, thanks for the confirmation on that, Mark.

> 
> > My only thought is my trusted-key is no longer valid. Looking at
> ISC's web
> > site, I see a DLV KSK Public key from 2008/09/21. This is different
> than the
> > one I was using above. I must have missed it in the instructions
> somewhere
> > including on that page, but is regular rotation of these keys part of
> > maintenance?
> 
> 	Yes.

Can you point me to the warning to operators in the instructions for setting this up? I can't seem to locate that. I'm viewing the following instructions:

https://secure.isc.org/index.pl?/ops/dlv/

Maybe I'm naive, but I don't think it should be assumed someone following a guide to set this up for their recursive DNS server is versed enough in the internal workings of dnssec to realize they will cause an outage without regular updates of the key. I've also seen several presentations on how to set this up which were similar. I must have also missed that part of the regular maintenance of the recursive server.

> 
> > I know it is for signed authoritative zones with dnssec, but it isn't
> clear
> > for using lookaside-validation with ISC.
> 
> 	dlv.isc.org is a signed zone.  The keys get rolled the same as
> 	any other zone.

Makes sense now.

> 
> > I'm guessing the answer is yes and I should be subscribed to the
> > dlv-announce at isc.org mailing list or wait for a better automated
> mechanism
> > for this to work.
> 
> 	Correct.  You can also use
> 
> 	"dig dnskey dlv.isc.org @127.0.0.1 | grep 257"
> 
> 	daily from cron and when the answer changes go check the web
> site.
> 	I do something like this for all my trust anchors.
> 
> % dig dnskey dlv.isc.org @127.0.0.1 | grep 257
> dlv.isc.org.            7200    IN      DNSKEY  257 3 5
> BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
> %

Is there a best practice for getting this info into BIND in an automated fashion? I'm sure I could think of a way and script it, but why reinvent the wheel? If this is manual maintenance that has to be monitored and updated or else everything breaks, I can see some of the hesitation in using dnssec. That was my reservation in signing my own zones but the same issue exists here just to validate them.

Will this always be the case even when the root becomes signed or is this just due to using the lookaside validation with DLV?

Thanks for your response and time, Mark.

-Vinny



More information about the bind-users mailing list