Necessity of DNSSEC Lookaside Validation(DLV)

Mark Andrews Mark_Andrews at isc.org
Thu Apr 9 11:45:34 UTC 2009 

In message <OFD3C12B6C.284D328A-ON65257592.005EC291-65257593.002C48F5 at itc.co.in>, Chandan Laskar writes:
>
> Thanks Bill.
> 
> We have authoritative Name Server. Caching is not enable in the Name 
> Server.
> 
> Also based on website 
> (http://www.netwidget.net/books/apress/dns/info/dlv.html), DLV is not an 
> IETF standarized feature and BIND 9.3.2 (We have 9.6.0.-P1) is the current 
> recommended implementation Version. 

	DLV fits into this section of RFC 4035.

5.  Authenticating DNS Responses

	      The process for obtaining and authenticating this initial
   trust anchor is achieved via some external mechanism.  For example, a
   resolver could use some off-line authenticated exchange to obtain a
   zone's DNSKEY RR or to obtain a DS RR that identifies and
   authenticates a zone's DNSKEY RR.  
	
> So I am still not convince about the necessity of DLV incorporation in our 
> Setup.

	For an authoritative only setup I would be using TSIG to validate
	the zone transfers as you have a existing trust relationship.

	If you want other people to be able to validate the data
	you publish you need to sign your zone and publish your
	SEP's.  If you parent zone is not signed you can use DLV
	as a substitute for the parent zone.
 
	Mark
> Will grateful if you provide me more suggestion.
> 
> Thanks and regards, 
> Chandan Laskar 
> 2nd Floor Data Center, ITC Center, 
> 4, Russel Street, Kolkata - 700 016 
> Phone:(033)-22889900 Extn.: 3944 
>              (0)-9830057396 (M) 
> 
> 
> 
> Bill Larson <wllarso at swcp.com> 
> 04/07/2009 09:30 PM
> 
> To
> Chandan Laskar <Chandan.Laskar at itc.in>
> cc
> bind-users at lists.isc.org
> Subject
> Re: Necessity of DNSSEC Lookaside Validation(DLV)
> 
> 
> 
> 
> 
> 
> On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:
> 
> Hi, 
> We have deployed DNS  on RHEL 5 Update 1. Below are feature of our DNS. 
> 
1. Implemented OS Security Best Practice ( e.g. Enable MD5 and shadow 
> passwords, Root Login Console Restricted, Configure SSH as an alternative 
> of Telnet e.t.c.). 
> 2. Configured Openssl Version 0.9.8j. 
> 3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not 
> running as root user. 
> 4. IPTABLES has been configured to block all the irrelevant ports.
> 5. Allow Update Feature in named.conf is not changed. So, by default it is 
> 'NO' 
>  
> After all the above mentioned protection do we really need to incorporate 
> DNSSEC Lookaside Validation(DLV) in our DNS? 
> 
> Suggestion Please. 
> 
> Your implementation is protecting the DNS server itself - very good.  The 
> purpose of DLV is to insure that the DNS data that your server provides, 
> and all DNSSEC data your server processes, is valid. 
> 
> The DNSSEC/DLV configuration protects your DNS data from being "spoofed" 
> on another DNS server.  It also insures that the DNS data that your server 
> may be handing out recursively from being compromised.  Protecting both 
> sides of the DNS service for your users is necessary (at least important).
> 
> 
> Can you avoid printing this?
> Think of the environment before printing the email.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list