Necessity of DNSSEC Lookaside Validation(DLV)
Kevin Darcy
kcd at chrysler.com
Thu Apr 9 21:20:42 UTC 2009
Chandan,
Are you more interested in marking off bullet points on
some "security compliance checklist", or actual, practical, real-world
security?
Just wondering...
- Kevin
Chandan Laskar wrote:
>
> Thanks Bill.
>
> We have authoritative Name Server. Caching is not enable in the Name
> Server.
>
> Also based on website
> (http://www.netwidget.net/books/apress/dns/info/dlv.html), DLV is not
> an IETF standarized feature and BIND 9.3.2 (We have 9.6.0.-P1) is the
> current recommended implementation Version.
>
> So I am still not convince about the necessity of DLV incorporation in
> our Setup.
>
> Will grateful if you provide me more suggestion.
>
> Thanks and regards,
> Chandan Laskar
> 2nd Floor Data Center, ITC Center,
> 4, Russel Street, Kolkata - 700 016
> Phone:(033)-22889900 Extn.: 3944
> (0)-9830057396 (M)
>
>
> *Bill Larson <wllarso at swcp.com>*
>
> 04/07/2009 09:30 PM
>
>
> To
> Chandan Laskar <Chandan.Laskar at itc.in>
> cc
> bind-users at lists.isc.org
> Subject
> Re: Necessity of DNSSEC Lookaside Validation(DLV)
>
>
>
>
>
>
>
>
>
> On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:
>
> Hi,
> We have deployed DNS on RHEL 5 Update 1. Below are feature of our DNS.
> *
> 1. Implemented OS Security Best Practice ( e.g. Enable MD5 and shadow
> passwords, Root Login Console Restricted, Configure SSH as an
> alternative of Telnet e.t.c.).
> 2. Configured Openssl Version 0.9.8j.* *
> 3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not
> running as root user.* *
> 4. IPTABLES has been configured to block all the irrelevant ports.
> 5. Allow Update Feature in named.conf is not changed. So, by default
> it is 'NO'* *
>
> After all the above mentioned protection do we really need to
> incorporate DNSSEC Lookaside Validation(DLV) in our DNS?*
>
> Suggestion Please.
>
> Your implementation is protecting the DNS server itself - very good.
> The purpose of DLV is to insure that the DNS data that your server
> provides, and all DNSSEC data your server processes, is valid.
>
> The DNSSEC/DLV configuration protects your DNS data from being
> "spoofed" on another DNS server. It also insures that the DNS data
> that your server may be handing out recursively from being
> compromised. Protecting both sides of the DNS service for your users
> is necessary (at least important).
> Can you avoid printing this?
> Think of the environment before printing the email.
> -------------------------------------------------------------------------------
> Please visit us at www.itcportal.com
> ******************************************************************************
> This Communication is for the exclusive use of the intended recipient
> (s) and shall
> not attach any liability on the originator or ITC Ltd./its
> Subsidiaries/its Group
> Companies. If you are the addressee, the contents of this email are
> intended for your
> use only and it shall not be forwarded to any third party, without
> first obtaining
> written authorisation from the originator or ITC Ltd./its
> Subsidiaries/its Group
> Companies. It may contain information which is confidential and
> legally privileged
> and the same shall not be used or dealt with by any third party in any
> manner
> whatsoever without the specific consent of ITC Ltd./its
> Subsidiaries/its Group
> Companies.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list