Disabling DNSSEC validation per zone?

Hauke Lampe list+bindusers at hauke-lampe.de
Wed Sep 2 11:18:33 UTC 2009 

Mark Andrews wrote:
> In message <4A99ABEB.7080202 at hauke-lampe.de>, Hauke Lampe writes:

>> I am looking for way to disable DNSSEC lookaside validation for a given
>> zone.
>>
>> For any query to this zone, BIND tries to look up
>> example.net.dlv.isc.org DLV records. If the external internet connection
>> is down and the DLV record not cached, internal hostname resolution
>> fails because BIND cannot prove the zone's insecure state.
> 
> Just sign your internal zone and add a trusted-keys clause for it
> and you won't use DLV.  named only uses dlv if the zone is provably
> insecure based on the trust-anchors configured.

That's what I was trying to avoid for now. The internal zone doesn't
lend itself very well to DNSSEC-signing yet.

Also, name resolution failures for internal hostnames like LDAP servers
or kerberos names can cause a lot of trouble. I would have a hard time
justifying the benefits of DNSSEC validation if it bears the risk of
disrupting the internal network every time the SDSL connection congests
or a local zone admin manages to wreck the signatures.


What we try to achieve is:

- Validate DNSSEC signatures on resolvers close to the clients, using
dlv.isc.org
- Keep internal name resolution functioning, even if the connection to
the outer internet is down


I see the following options to do this. Please correct me if I missed some:

1. Sign the internal zone and configure trust-anchors on each resolver.
We really don't want to go there right now

2. Tell BIND about known-insecure zones, so it won't try to locate DLV
records, eg. "dnssec-must-be-secure example.net never". Not possible
without changes to BIND, AFAICS.

3. Mirror the DLV zone locally, so that interruptions in the internet
connection won't block internal name resolution. We would probably use
this as an interim solution until either 1. or 2. is available.

I know I could simply recreate the DLV zone with dnssec-walker. An
official distribution via [AI]XFR, rsync or HTTP would be much
appreciated, though.



Hauke.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090902/b6817416/attachment.bin>

More information about the bind-users mailing list