ISC DLV dnssec

Mark Andrews Mark_Andrews at isc.org
Mon Apr 6 01:23:58 UTC 2009 

In message <e754e90904051805i6ac1dda6k57f78be2cf00ab32 at mail.gmail.com>, R Dicai
re writes:
> On Sun, Apr 5, 2009 at 8:48 PM, Mark Andrews <Mark_Andrews at isc.org> wrote:
> >        Named is still able to return answers if you tell it not to
> >        validate the answers by setting CD=1 in the query.  This flag
> >        is usually used when you have a validating resolver using another
> >        validating resolver to get its answers.
> >
> >        When the lookups were failing answers like this were returned.
> 
> The one thing I didn't do was a direct dig itself. I was tailing
> dnssec.log and watching the DLV lookups failing, and my web browser
> was failing to load any site, reporting the hostname couldn't be
> resolved.
> 
> Above, you mention setting CD=1 in the query. How is this done by
> applications trying to resolve hostnames
> when there's a problem like last nights?

	Only DNSSEC aware validating applications should do this.

> Would setting the named.conf
> directive dnssec-validation no;
> do this? (as I mentioned previously, I had to comment out
> dnssec-validation and the trust anchor directive that points to ISC so
> I could resolve queries)

	Which is a reasonable response.

	DNSSEC is a bit like digital TV it's all or nothing.  Zones
	will work or not if there are operator errors.  DLV is just
	a very critical zone in that it works out which zone are
	secure or not so it is involved in every lookup which is
	not part of a seperately configured island of trust. 

	When the root is signed and you have a trust anchor for the
	root configured DLV will be used to bridge the gaps in the
	delegation chains.  Lookups in secure zones for which there
	is a theoretical secure path won't use DLV.
 
	Mark

> -- =
> 
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list