ISC BIND 9 breakage?
Clayton Zekelman
clayton at MNSi.Net
Thu Mar 26 09:49:07 UTC 2020
Was it a "glitch" or someone just plain old forgot to do it?
At 02:29 AM 26/03/2020, Mark Andrews wrote:
>It was a glitch with the re-signing of the zone. There should be a official
>report sometime tomorrow. That said "dnssec-lookaside auto;" has been a no-op
>in BIND since BIND 9.9.12, BIND 9.10.7, BIND 9.11.3 and a fatal configuration
>error as of BIND 9.12.0. We didn’t want the
>DLV lookup traffic and provides no
>benefit as the zone has been empty since 2017.
>
>If you have dnssec-lookaside configured in
>named.conf please remove it otherwise
>the DLV code in the validator has to
>cryptographically prove that DLV records don’t
>exist before returning that the response is
>insecure. That requires talking to the
>servers for dlv.isc.org. It does this every
>hour for a active validating resolver
>that is still running DNSSEC lookaside validation.
>
>Mark
>
> > On 26 Mar 2020, at 04:18, Drew Weaver <drew.weaver at thenap.com> wrote:
> >
> > Did anyone else on CentOS 6 just have some DNS resolvers totally fall over?
> >
> > I noticed that this command: dnssec-lookaside
> auto; was causing the issue. The issue occurred right at about 1PM EST.
> >
> > I see this note in the ISC key file..
> >
> > # ISC DLV: See https://www.isc.org/solutions/dlv for details.
> > #
> > # NOTE: The ISC DLV zone is being phased out as of February 2017;
> > # the key will remain in place but
> the zone will be otherwise empty.
> > # Configuring "dnssec-lookaside auto;" to activate this key is
> > # harmless, but is no longer useful and is not recommended.
> >
> > It’s not harmless anymore.
>
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
--
Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4
tel. 519-985-8410
fax. 519-985-8409
More information about the NANOG
mailing list