Necessity of DNSSEC Lookaside Validation(DLV)

Kevin Darcy kcd at chrysler.com
Thu Apr 9 21:20:42 UTC 2009 

Chandan,
                Are you more interested in marking off bullet points on 
some "security compliance checklist", or actual, practical, real-world 
security?

Just wondering...

                                                                         
                              - Kevin

Chandan Laskar wrote:
>
> Thanks Bill.
>
> We have authoritative Name Server. Caching is not enable in the Name 
> Server.
>
> Also based on website 
> (http://www.netwidget.net/books/apress/dns/info/dlv.html), DLV is not 
> an IETF standarized feature and BIND 9.3.2 (We have 9.6.0.-P1) is the 
> current recommended implementation Version.
>
> So I am still not convince about the necessity of DLV incorporation in 
> our Setup.
>
> Will grateful if you provide me more suggestion.
>
> Thanks and regards,
> Chandan Laskar
> 2nd Floor Data Center, ITC Center,
> 4, Russel Street, Kolkata - 700 016
> Phone:(033)-22889900 Extn.: 3944      
>             (0)-9830057396 (M)      
>
>
> *Bill Larson <wllarso at swcp.com>*
>
> 04/07/2009 09:30 PM
>
> 	
> To
> 	Chandan Laskar <Chandan.Laskar at itc.in>
> cc
> 	bind-users at lists.isc.org
> Subject
> 	Re: Necessity of DNSSEC Lookaside Validation(DLV)
>
>
>
> 	
>
>
>
>
>
> On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:
>
> Hi,
> We have deployed DNS  on RHEL 5 Update 1. Below are feature of our DNS.
> *
> 1. Implemented OS Security Best Practice ( e.g. Enable MD5 and shadow 
> passwords, Root Login Console Restricted, Configure SSH as an 
> alternative of Telnet e.t.c.).
> 2. Configured Openssl Version 0.9.8j.* *
> 3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not 
> running as root user.* *
> 4. IPTABLES has been configured to block all the irrelevant ports.
> 5. Allow Update Feature in named.conf is not changed. So, by default 
> it is 'NO'* *
>  
> After all the above mentioned protection do we really need to 
> incorporate DNSSEC Lookaside Validation(DLV) in our DNS?*
>
> Suggestion Please.
>
> Your implementation is protecting the DNS server itself - very good. 
>  The purpose of DLV is to insure that the DNS data that your server 
> provides, and all DNSSEC data your server processes, is valid.  
>
> The DNSSEC/DLV configuration protects your DNS data from being 
> "spoofed" on another DNS server.  It also insures that the DNS data 
> that your server may be handing out recursively from being 
> compromised.  Protecting both sides of the DNS service for your users 
> is necessary (at least important).
> Can you avoid printing this?
> Think of the environment before printing the email.
> -------------------------------------------------------------------------------
> Please visit us at www.itcportal.com
> ******************************************************************************
> This Communication is for the exclusive use of the intended recipient 
> (s) and shall
> not attach any liability on the originator or ITC Ltd./its 
> Subsidiaries/its Group
> Companies. If you are the addressee, the contents of this email are 
> intended for your
> use only and it shall not be forwarded to any third party, without 
> first obtaining
> written authorisation from the originator or ITC Ltd./its 
> Subsidiaries/its Group
> Companies. It may contain information which is confidential and 
> legally privileged
> and the same shall not be used or dealt with by any third party in any 
> manner
> whatsoever without the specific consent of ITC Ltd./its 
> Subsidiaries/its Group
> Companies.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list