dnssec lookaside to dlv.isc.org broke recursion
Vinny Abello
vinny at tellurian.com
Thu Oct 23 14:32:06 UTC 2008
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Vinny Abello
> Sent: Thursday, October 23, 2008 10:25 AM
> To: Mark_Andrews at isc.org
> Cc: bind-users at isc.org
> Subject: RE: dnssec lookaside to dlv.isc.org broke recursion
>
> > Correct. You can also use
> >
> > "dig dnskey dlv.isc.org @127.0.0.1 | grep 257"
> >
> > daily from cron and when the answer changes go check the web
> > site.
> > I do something like this for all my trust anchors.
> >
> > % dig dnskey dlv.isc.org @127.0.0.1 | grep 257
> > dlv.isc.org. 7200 IN DNSKEY 257 3 5
> > BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> > brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> > 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> > ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> > Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> > QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
> > %
>
> Is there a best practice for getting this info into BIND in an
> automated fashion? I'm sure I could think of a way and script it, but
> why reinvent the wheel? If this is manual maintenance that has to be
> monitored and updated or else everything breaks, I can see some of the
> hesitation in using dnssec. That was my reservation in signing my own
> zones but the same issue exists here just to validate them.
>
> Will this always be the case even when the root becomes signed or is
> this just due to using the lookaside validation with DLV?
>
> Thanks for your response and time, Mark.
I just noticed that the key is available as part of the named.conf via the following URL:
https://secure.isc.org/ops/dlv/dlv.isc.org.named.conf
I'm assuming this is provided to automate updates. Would there be anything wrong with scripting a wget or similar way of retrieving the file, having that referenced in the named.conf with the include statement, and doing a reconfig afterwards?
-Vinny
More information about the bind-users
mailing list