ISC DLV dnssec

Mark Andrews Mark_Andrews at isc.org
Sun Apr 5 21:40:01 UTC 2009 

In message <e754e90904051051i60b347b6paf44a833c02a873f at mail.gmail.com>, R Dicai
re writes:
> Hi folks, last night the ISC server responsible for responding to DLV
> lookups was apparently down. Since all lookups were failing due to a
> lack of response from this server, bind couldn't resolve anything at
> all. I had to comment out a couple lines in named.conf to restore
> function.
> 
> bind-9.4.3-P2
> 
> Here's the dnssec configuration lines used in named.conf:
> 
>         dnssec-enable yes;
>         dnssec-validation yes;
>         dnssec-lookaside . trust-anchor dlv.isc.org.;
> 
> trusted-keys {
>         dlv.isc.org. 257 3 5
> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeN
> D4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf
> 8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF
> 1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
> };
> 
> I'm not sure, but if a lookup fails dnssec auth, shouldn't bind treat
> the answer as insecure, and return said answer?

	No.  Otherwise you could cause the nameserver to accept a
	bogus answer when it shouldn't.  
 
> In the scenario described above, I wasn't even able to get answers,
> let alone whether said answers could be authenticated.
> Bv9ARM.pdf is unclear regarding how bind should behave regarding use
> of dnssec-validation directive.
> 
> Shouldn't the behaviour for DLV lookups be such that if the query
> can't be answered by the DLV server, then fall back to a non-dnssec
> lookup?

	No.
 
> Perhaps there's a configuration issue I'm using that caused this
> unexpected behaviour I describe?

	There was a fault which caused RRSIG of the key signing key
	to be missing.  The key signing key is the one listed in
	the trusted-keys clause above.  This caused a break in the
	chain of trust as the DNSKEY RRset could not be validated
	which meant named could not determine if the answers to the
	DLV queries were valid or not and in turn the answers to
	all other queries.
 
	Mark

> Thanks
> 
> -- 
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list