ISC DLV dnssec
R Dicaire
kritek at gmail.com
Sun Apr 5 17:51:52 UTC 2009
Hi folks, last night the ISC server responsible for responding to DLV
lookups was apparently down. Since all lookups were failing due to a
lack of response from this server, bind couldn't resolve anything at
all. I had to comment out a couple lines in named.conf to restore
function.
bind-9.4.3-P2
Here's the dnssec configuration lines used in named.conf:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeN
D4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf
8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF
1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
I'm not sure, but if a lookup fails dnssec auth, shouldn't bind treat
the answer as insecure, and return said answer?
In the scenario described above, I wasn't even able to get answers,
let alone whether said answers could be authenticated.
Bv9ARM.pdf is unclear regarding how bind should behave regarding use
of dnssec-validation directive.
Shouldn't the behaviour for DLV lookups be such that if the query
can't be answered by the DLV server, then fall back to a non-dnssec
lookup?
Perhaps there's a configuration issue I'm using that caused this
unexpected behaviour I describe?
Thanks
--
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
More information about the bind-users
mailing list