Re: DNS Failures - All of a sudden today 20200325

To: yancm%sdf.org@localhost
Subject: Re: DNS Failures - All of a sudden today 20200325
From: Havard Eidnes <he%NetBSD.org@localhost>
Date: Wed, 25 Mar 2020 21:56:11 +0100 (CET)

> My caching dns failed unexpectedly today, apparently I was not alone:
> https://www.mail-archive.com/bind-users%lists.isc.org@localhost/msg28624.html
> From ISC: "We apparently let our signatures on dlv.isc.org expire."

Ouch!

> I fixed this temporarily by adding:
>   dnssec-accept-expired yes;
> Which feels risky...

Yes, I would not do that.

> Another user on the ISC list suggested setting
>   dnssec-lookaside no;
> Which also feels risky.

No, that's not risky at all!

Given the current messup, ref. above (I wasn't aware of the cause),
this is exactly the right solution.  I don't know what the default
value for "dnssec-lookaside" is for the version of BIND you run, so
setting it to "no" may be safest.  This turns off the use of
dlv.isc.org, which was used as a DNSSEC bootstrap mechanism before
.com, .net, .org, and the root was DNSSEC- signed.  ISC has argued
that the purpose of dlv.isc.org is now made redundant, since all the
aforementioned zones have long since been signed.  Ref.

  https://www.isc.org/blogs/dlv/

> And generically ISC suggested all users remove the dlv.isc.org
> zone from their configuration...

...and any *use* of the zone, which is implied by dnssec-lookaside
configuration of either "auto" or "yes".

Best regards,

- Håvard

Follow-Ups:
- Re: DNS Failures - All of a sudden today 20200325
  - From: Mike Pumford

References:
- DNS Failures - All of a sudden today 20200325
  - From: yancm

Prev by Date: Re: DNS Failures - All of a sudden today 20200325
Next by Date: Re: DNS Failures - All of a sudden today 20200325
Previous by Thread: Re: DNS Failures - All of a sudden today 20200325
Next by Thread: Re: DNS Failures - All of a sudden today 20200325
Indexes:

Home | Main Index | Thread Index | Old Index