Necessity of DNSSEC Lookaside Validation(DLV)

Bill Larson wllarso at swcp.com
Tue Apr 7 16:00:01 UTC 2009


On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:

> Hi,
> We have deployed DNS  on RHEL 5 Update 1. Below are feature of our  
> DNS.
>
> 1. Implemented OS Security Best Practice ( e.g. Enable MD5 and  
> shadow passwords, Root Login Console Restricted, Configure SSH as an  
> alternative of Telnet e.t.c.).
> 2. Configured Openssl Version 0.9.8j.
> 3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not  
> running as root user.
> 4. IPTABLES has been configured to block all the irrelevant ports.
> 5. Allow Update Feature in named.conf is not changed. So, by default  
> it is 'NO'
>
> After all the above mentioned protection do we really need to  
> incorporate DNSSEC Lookaside Validation(DLV) in our DNS?
>
> Suggestion Please.

Your implementation is protecting the DNS server itself - very good.   
The purpose of DLV is to insure that the DNS data that your server  
provides, and all DNSSEC data your server processes, is valid.

The DNSSEC/DLV configuration protects your DNS data from being  
"spoofed" on another DNS server.  It also insures that the DNS data  
that your server may be handing out recursively from being  
compromised.  Protecting both sides of the DNS service for your users  
is necessary (at least important).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090407/91a1f4bb/attachment.html>


More information about the bind-users mailing list