ISC DLV dnssec
Mark Andrews
Mark_Andrews at isc.org
Sun Apr 5 21:40:01 UTC 2009
In message <e754e90904051051i60b347b6paf44a833c02a873f at mail.gmail.com>, R Dicai
re writes:
> Hi folks, last night the ISC server responsible for responding to DLV
> lookups was apparently down. Since all lookups were failing due to a
> lack of response from this server, bind couldn't resolve anything at
> all. I had to comment out a couple lines in named.conf to restore
> function.
>
> bind-9.4.3-P2
>
> Here's the dnssec configuration lines used in named.conf:
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside . trust-anchor dlv.isc.org.;
>
> trusted-keys {
> dlv.isc.org. 257 3 5
> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeN
> D4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf
> 8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF
> 1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
> };
>
> I'm not sure, but if a lookup fails dnssec auth, shouldn't bind treat
> the answer as insecure, and return said answer?
No. Otherwise you could cause the nameserver to accept a
bogus answer when it shouldn't.
> In the scenario described above, I wasn't even able to get answers,
> let alone whether said answers could be authenticated.
> Bv9ARM.pdf is unclear regarding how bind should behave regarding use
> of dnssec-validation directive.
>
> Shouldn't the behaviour for DLV lookups be such that if the query
> can't be answered by the DLV server, then fall back to a non-dnssec
> lookup?
No.
> Perhaps there's a configuration issue I'm using that caused this
> unexpected behaviour I describe?
There was a fault which caused RRSIG of the key signing key
to be missing. The key signing key is the one listed in
the trusted-keys clause above. This caused a break in the
chain of trust as the DNSKEY RRset could not be validated
which meant named could not determine if the answers to the
DLV queries were valid or not and in turn the answers to
all other queries.
Mark
> Thanks
>
> --
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list