ISC DLV dnssec
Mark Andrews
Mark_Andrews at isc.org
Mon Apr 6 01:23:58 UTC 2009
In message <e754e90904051805i6ac1dda6k57f78be2cf00ab32 at mail.gmail.com>, R Dicai
re writes:
> On Sun, Apr 5, 2009 at 8:48 PM, Mark Andrews <Mark_Andrews at isc.org> wrote:
> > Named is still able to return answers if you tell it not to
> > validate the answers by setting CD=1 in the query. This flag
> > is usually used when you have a validating resolver using another
> > validating resolver to get its answers.
> >
> > When the lookups were failing answers like this were returned.
>
> The one thing I didn't do was a direct dig itself. I was tailing
> dnssec.log and watching the DLV lookups failing, and my web browser
> was failing to load any site, reporting the hostname couldn't be
> resolved.
>
> Above, you mention setting CD=1 in the query. How is this done by
> applications trying to resolve hostnames
> when there's a problem like last nights?
Only DNSSEC aware validating applications should do this.
> Would setting the named.conf
> directive dnssec-validation no;
> do this? (as I mentioned previously, I had to comment out
> dnssec-validation and the trust anchor directive that points to ISC so
> I could resolve queries)
Which is a reasonable response.
DNSSEC is a bit like digital TV it's all or nothing. Zones
will work or not if there are operator errors. DLV is just
a very critical zone in that it works out which zone are
secure or not so it is involved in every lookup which is
not part of a seperately configured island of trust.
When the root is signed and you have a trust anchor for the
root configured DLV will be used to bridge the gaps in the
delegation chains. Lookups in secure zones for which there
is a theoretical secure path won't use DLV.
Mark
> -- =
>
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list