Necessity of DNSSEC Lookaside Validation(DLV)
Bill Larson
wllarso at swcp.com
Tue Apr 7 16:00:01 UTC 2009
On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:
> Hi,
> We have deployed DNS on RHEL 5 Update 1. Below are feature of our
> DNS.
>
> 1. Implemented OS Security Best Practice ( e.g. Enable MD5 and
> shadow passwords, Root Login Console Restricted, Configure SSH as an
> alternative of Telnet e.t.c.).
> 2. Configured Openssl Version 0.9.8j.
> 3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not
> running as root user.
> 4. IPTABLES has been configured to block all the irrelevant ports.
> 5. Allow Update Feature in named.conf is not changed. So, by default
> it is 'NO'
>
> After all the above mentioned protection do we really need to
> incorporate DNSSEC Lookaside Validation(DLV) in our DNS?
>
> Suggestion Please.
Your implementation is protecting the DNS server itself - very good.
The purpose of DLV is to insure that the DNS data that your server
provides, and all DNSSEC data your server processes, is valid.
The DNSSEC/DLV configuration protects your DNS data from being
"spoofed" on another DNS server. It also insures that the DNS data
that your server may be handing out recursively from being
compromised. Protecting both sides of the DNS service for your users
is necessary (at least important).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090407/91a1f4bb/attachment.html>
More information about the bind-users
mailing list